Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Pb4xbhZNjF.exe

Overview

General Information

Sample name:Pb4xbhZNjF.exe
renamed because original name is a hash value
Original sample name:8926f99da65ad1172fa67c51df4c0a72cb1c5630e90a6f408bfa20b399596eb8.exe
Analysis ID:1588556
MD5:05340c957a5dab58667cb27b36cb08aa
SHA1:841f7a9995df5e073aebefdd17c2a86f1e5b8f32
SHA256:8926f99da65ad1172fa67c51df4c0a72cb1c5630e90a6f408bfa20b399596eb8
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Pb4xbhZNjF.exe (PID: 5132 cmdline: "C:\Users\user\Desktop\Pb4xbhZNjF.exe" MD5: 05340C957A5DAB58667CB27B36CB08AA)
    • svchost.exe (PID: 2988 cmdline: "C:\Users\user\Desktop\Pb4xbhZNjF.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2235039185.0000000003F50000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2233986614.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Pb4xbhZNjF.exe", CommandLine: "C:\Users\user\Desktop\Pb4xbhZNjF.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Pb4xbhZNjF.exe", ParentImage: C:\Users\user\Desktop\Pb4xbhZNjF.exe, ParentProcessId: 5132, ParentProcessName: Pb4xbhZNjF.exe, ProcessCommandLine: "C:\Users\user\Desktop\Pb4xbhZNjF.exe", ProcessId: 2988, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Pb4xbhZNjF.exe", CommandLine: "C:\Users\user\Desktop\Pb4xbhZNjF.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Pb4xbhZNjF.exe", ParentImage: C:\Users\user\Desktop\Pb4xbhZNjF.exe, ParentProcessId: 5132, ParentProcessName: Pb4xbhZNjF.exe, ProcessCommandLine: "C:\Users\user\Desktop\Pb4xbhZNjF.exe", ProcessId: 2988, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: Pb4xbhZNjF.exeVirustotal: Detection: 59%Perma Link
          Source: Pb4xbhZNjF.exeReversingLabs: Detection: 68%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2235039185.0000000003F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2233986614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: Pb4xbhZNjF.exeJoe Sandbox ML: detected
          Source: Pb4xbhZNjF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: Pb4xbhZNjF.exe, 00000000.00000003.2188970931.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, Pb4xbhZNjF.exe, 00000000.00000003.2189958154.0000000004390000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2195503319.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2189837501.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2234452743.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2234452743.0000000003C00000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Pb4xbhZNjF.exe, 00000000.00000003.2188970931.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, Pb4xbhZNjF.exe, 00000000.00000003.2189958154.0000000004390000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2195503319.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2189837501.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2234452743.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2234452743.0000000003C00000.00000040.00001000.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0008445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0008445A
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0008C6D1 FindFirstFileW,FindClose,0_2_0008C6D1
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0008C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0008C75C
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0008EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0008EF95
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0008F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0008F0F2
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0008F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0008F3F3
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_000837EF
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00083B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00083B12
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0008BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0008BCBC
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000922EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_000922EE
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00094164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00094164
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00094164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00094164
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00093F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00093F66
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0008001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0008001C
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000ACABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_000ACABC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2235039185.0000000003F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2233986614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: This is a third-party compiled AutoIt script.0_2_00023B3A
          Source: Pb4xbhZNjF.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: Pb4xbhZNjF.exe, 00000000.00000000.2145315428.00000000000D4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3b0e5afb-a
          Source: Pb4xbhZNjF.exe, 00000000.00000000.2145315428.00000000000D4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_dddb1403-2
          Source: Pb4xbhZNjF.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2cfc242b-c
          Source: Pb4xbhZNjF.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_4fcd0546-3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C893 NtClose,2_2_0042C893
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72B60 NtClose,LdrInitializeThunk,2_2_03C72B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03C72DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C735C0 NtCreateMutant,LdrInitializeThunk,2_2_03C735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C74340 NtSetContextThread,2_2_03C74340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C74650 NtSuspendThread,2_2_03C74650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72BE0 NtQueryValueKey,2_2_03C72BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72BF0 NtAllocateVirtualMemory,2_2_03C72BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72B80 NtQueryInformationFile,2_2_03C72B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72BA0 NtEnumerateValueKey,2_2_03C72BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72AD0 NtReadFile,2_2_03C72AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72AF0 NtWriteFile,2_2_03C72AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72AB0 NtWaitForSingleObject,2_2_03C72AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72FE0 NtCreateFile,2_2_03C72FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72F90 NtProtectVirtualMemory,2_2_03C72F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72FA0 NtQuerySection,2_2_03C72FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72FB0 NtResumeThread,2_2_03C72FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72F60 NtCreateProcessEx,2_2_03C72F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72F30 NtCreateSection,2_2_03C72F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72EE0 NtQueueApcThread,2_2_03C72EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72E80 NtReadVirtualMemory,2_2_03C72E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72EA0 NtAdjustPrivilegesToken,2_2_03C72EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72E30 NtWriteVirtualMemory,2_2_03C72E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72DD0 NtDelayExecution,2_2_03C72DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72DB0 NtEnumerateKey,2_2_03C72DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72D00 NtSetInformationFile,2_2_03C72D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72D10 NtMapViewOfSection,2_2_03C72D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72D30 NtUnmapViewOfSection,2_2_03C72D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72CC0 NtQueryVirtualMemory,2_2_03C72CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72CF0 NtOpenProcess,2_2_03C72CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72CA0 NtQueryInformationToken,2_2_03C72CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72C60 NtCreateKey,2_2_03C72C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72C70 NtFreeVirtualMemory,2_2_03C72C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72C00 NtQueryInformationProcess,2_2_03C72C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73090 NtSetValueKey,2_2_03C73090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73010 NtOpenDirectoryObject,2_2_03C73010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C739B0 NtGetContextThread,2_2_03C739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73D70 NtOpenThread,2_2_03C73D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73D10 NtOpenProcessToken,2_2_03C73D10
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0008A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0008A1EF
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00078310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00078310
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_000851BD
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0002E6A00_2_0002E6A0
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0004D9750_2_0004D975
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0002FCE00_2_0002FCE0
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000421C50_2_000421C5
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000562D20_2_000562D2
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000A03DA0_2_000A03DA
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0005242E0_2_0005242E
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000425FA0_2_000425FA
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0007E6160_2_0007E616
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000366E10_2_000366E1
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0005878F0_2_0005878F
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000388080_2_00038808
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000568440_2_00056844
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000A08570_2_000A0857
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000888890_2_00088889
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0004CB210_2_0004CB21
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00056DB60_2_00056DB6
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00036F9E0_2_00036F9E
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000330300_2_00033030
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000431870_2_00043187
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0004F1D90_2_0004F1D9
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000212870_2_00021287
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000414840_2_00041484
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000355200_2_00035520
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000476960_2_00047696
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000357600_2_00035760
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000419780_2_00041978
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00059AB50_2_00059AB5
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00041D900_2_00041D90
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0004BDA60_2_0004BDA6
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000A7DDB0_2_000A7DDB
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0002DF000_2_0002DF00
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00033FE00_2_00033FE0
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_019A91600_2_019A9160
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004100232_2_00410023
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011402_2_00401140
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004169F32_2_004169F3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004102432_2_00410243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E2232_2_0040E223
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E3672_2_0040E367
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E3732_2_0040E373
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004025D02_2_004025D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402E102_2_00402E10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EED32_2_0042EED3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F02_2_03C4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D003E62_2_03D003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA3522_2_03CFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC02C02_2_03CC02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE02742_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF81CC2_2_03CF81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF41A22_2_03CF41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D001AA2_2_03D001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC81582_2_03CC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C301002_2_03C30100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA1182_2_03CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD20002_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3C7C02_2_03C3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C647502_2_03C64750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C407702_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5C6E02_2_03C5C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D005912_2_03D00591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C405352_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEE4F62_2_03CEE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF24462_2_03CF2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE44202_2_03CE4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF6BD72_2_03CF6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFAB402_2_03CFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA802_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A02_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0A9A62_2_03D0A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C569622_2_03C56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E8F02_2_03C6E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C268B82_2_03C268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4A8402_2_03C4A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C428402_2_03C42840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32FC82_2_03C32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4CFE02_2_03C4CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBEFA02_2_03CBEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4F402_2_03CB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C82F282_2_03C82F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60F302_2_03C60F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE2F302_2_03CE2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFEEDB2_2_03CFEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C52E902_2_03C52E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFCE932_2_03CFCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40E592_2_03C40E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFEE262_2_03CFEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3ADE02_2_03C3ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C58DBF2_2_03C58DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4AD002_2_03C4AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDCD1F2_2_03CDCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30CF22_2_03C30CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0CB52_2_03CE0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40C002_2_03C40C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C8739A2_2_03C8739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2D34C2_2_03C2D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF132D2_2_03CF132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5B2C02_2_03C5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE12ED2_2_03CE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C452A02_2_03C452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4B1B02_2_03C4B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7516C2_2_03C7516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F1722_2_03C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0B16B2_2_03D0B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEF0CC2_2_03CEF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C02_2_03C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF70E92_2_03CF70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFF0E02_2_03CFF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFF7B02_2_03CFF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF16CC2_2_03CF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C856302_2_03C85630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D095C32_2_03D095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDD5B02_2_03CDD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF75712_2_03CF7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C314602_2_03C31460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFF43F2_2_03CFF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB5BF02_2_03CB5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7DBF92_2_03C7DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5FB802_2_03C5FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFB762_2_03CFFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEDAC62_2_03CEDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDDAAC2_2_03CDDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C85AA02_2_03C85AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE1AA32_2_03CE1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFA492_2_03CFFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF7A462_2_03CF7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB3A6C2_2_03CB3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C499502_2_03C49950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5B9502_2_03C5B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD59102_2_03CD5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C438E02_2_03C438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAD8002_2_03CAD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C03FD22_2_03C03FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C03FD52_2_03C03FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C41F922_2_03C41F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFFB12_2_03CFFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFF092_2_03CFFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C49EB02_2_03C49EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5FDC02_2_03C5FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C43D402_2_03C43D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF1D5A2_2_03CF1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF7D732_2_03CF7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFCF22_2_03CFFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB9C322_2_03CB9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C75130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C2B970 appears 280 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C87E54 appears 111 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CAEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CBF290 appears 105 times
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: String function: 00027DE1 appears 35 times
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: String function: 00040AE3 appears 70 times
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: String function: 00048900 appears 42 times
          Source: Pb4xbhZNjF.exe, 00000000.00000003.2188288833.00000000044BD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Pb4xbhZNjF.exe
          Source: Pb4xbhZNjF.exe, 00000000.00000003.2186228499.00000000042C3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Pb4xbhZNjF.exe
          Source: Pb4xbhZNjF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: classification engineClassification label: mal80.troj.evad.winEXE@3/2@0/0
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0008A06A GetLastError,FormatMessageW,0_2_0008A06A
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000781CB AdjustTokenPrivileges,CloseHandle,0_2_000781CB
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_000787E1
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0008B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0008B333
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0009EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0009EE0D
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0008C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0008C397
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00024E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00024E89
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeFile created: C:\Users\user\AppData\Local\Temp\aut8034.tmpJump to behavior
          Source: Pb4xbhZNjF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Pb4xbhZNjF.exeVirustotal: Detection: 59%
          Source: Pb4xbhZNjF.exeReversingLabs: Detection: 68%
          Source: unknownProcess created: C:\Users\user\Desktop\Pb4xbhZNjF.exe "C:\Users\user\Desktop\Pb4xbhZNjF.exe"
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Pb4xbhZNjF.exe"
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Pb4xbhZNjF.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeSection loaded: ntmarta.dllJump to behavior
          Source: Pb4xbhZNjF.exeStatic file information: File size 1226752 > 1048576
          Source: Pb4xbhZNjF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: Pb4xbhZNjF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: Pb4xbhZNjF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: Pb4xbhZNjF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Pb4xbhZNjF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: Pb4xbhZNjF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: Pb4xbhZNjF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: Pb4xbhZNjF.exe, 00000000.00000003.2188970931.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, Pb4xbhZNjF.exe, 00000000.00000003.2189958154.0000000004390000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2195503319.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2189837501.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2234452743.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2234452743.0000000003C00000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Pb4xbhZNjF.exe, 00000000.00000003.2188970931.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, Pb4xbhZNjF.exe, 00000000.00000003.2189958154.0000000004390000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2195503319.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2189837501.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2234452743.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2234452743.0000000003C00000.00000040.00001000.00020000.00000000.sdmp
          Source: Pb4xbhZNjF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: Pb4xbhZNjF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: Pb4xbhZNjF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: Pb4xbhZNjF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: Pb4xbhZNjF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00024B37 LoadLibraryA,GetProcAddress,0_2_00024B37
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00048945 push ecx; ret 0_2_00048958
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004030C0 push eax; ret 2_2_004030C2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D0E4 push edx; retf 2_2_0040D0E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040808C push esp; ret 2_2_00408097
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417257 push 00000020h; iretd 2_2_00417259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417260 pushad ; retf 2_2_0041726B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EA38 push eax; retf 2_2_0041EA4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004172D4 pushad ; retf 2_2_0041726B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EA8D push esp; retf 2_2_0041EA8E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00423F50 push FFFFFFD3h; iretd 2_2_00423F5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416797 push ds; iretd 2_2_004167A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0225F pushad ; ret 2_2_03C027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C027FA pushad ; ret 2_2_03C027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C309AD push ecx; mov dword ptr [esp], ecx2_2_03C309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0283D push eax; iretd 2_2_03C02858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C01368 push eax; iretd 2_2_03C01369
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C01065 push edi; ret 2_2_03C0108A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C018F3 push edx; iretd 2_2_03C01906
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_000248D7
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000A5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_000A5376
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00043187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00043187
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeAPI/Special instruction interceptor: Address: 19A8D84
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E rdtsc 2_2_03C7096E
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeAPI coverage: 4.7 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 4884Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0008445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0008445A
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0008C6D1 FindFirstFileW,FindClose,0_2_0008C6D1
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0008C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0008C75C
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0008EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0008EF95
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0008F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0008F0F2
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0008F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0008F3F3
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_000837EF
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00083B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00083B12
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0008BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0008BCBC
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_000249A0
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeAPI call chain: ExitProcess graph end nodegraph_0-101231
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E rdtsc 2_2_03C7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417983 LdrLoadDll,2_2_00417983
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00093F09 BlockInput,0_2_00093F09
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00023B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00023B3A
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00055A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00055A7C
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00024B37 LoadLibraryA,GetProcAddress,0_2_00024B37
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_019A9050 mov eax, dword ptr fs:[00000030h]0_2_019A9050
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_019A79F0 mov eax, dword ptr fs:[00000030h]0_2_019A79F0
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_019A8FF0 mov eax, dword ptr fs:[00000030h]0_2_019A8FF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEC3CD mov eax, dword ptr fs:[00000030h]2_2_03CEC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB63C0 mov eax, dword ptr fs:[00000030h]2_2_03CB63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]2_2_03CDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]2_2_03CDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE3DB mov ecx, dword ptr fs:[00000030h]2_2_03CDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]2_2_03CDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD43D4 mov eax, dword ptr fs:[00000030h]2_2_03CD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD43D4 mov eax, dword ptr fs:[00000030h]2_2_03CD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03C4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03C4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03C4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C663FF mov eax, dword ptr fs:[00000030h]2_2_03C663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]2_2_03C2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]2_2_03C2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]2_2_03C2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]2_2_03C5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]2_2_03C5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]2_2_03C28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]2_2_03C28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]2_2_03C28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov ecx, dword ptr fs:[00000030h]2_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA352 mov eax, dword ptr fs:[00000030h]2_2_03CFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD8350 mov ecx, dword ptr fs:[00000030h]2_2_03CD8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0634F mov eax, dword ptr fs:[00000030h]2_2_03D0634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD437C mov eax, dword ptr fs:[00000030h]2_2_03CD437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]2_2_03C6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]2_2_03C6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]2_2_03C6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C310 mov ecx, dword ptr fs:[00000030h]2_2_03C2C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C50310 mov ecx, dword ptr fs:[00000030h]2_2_03C50310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D08324 mov eax, dword ptr fs:[00000030h]2_2_03D08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D08324 mov ecx, dword ptr fs:[00000030h]2_2_03D08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D08324 mov eax, dword ptr fs:[00000030h]2_2_03D08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D08324 mov eax, dword ptr fs:[00000030h]2_2_03D08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D062D6 mov eax, dword ptr fs:[00000030h]2_2_03D062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]2_2_03C402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]2_2_03C402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]2_2_03C402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]2_2_03C6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]2_2_03C6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]2_2_03CB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]2_2_03CB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]2_2_03CB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB8243 mov eax, dword ptr fs:[00000030h]2_2_03CB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB8243 mov ecx, dword ptr fs:[00000030h]2_2_03CB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0625D mov eax, dword ptr fs:[00000030h]2_2_03D0625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A250 mov eax, dword ptr fs:[00000030h]2_2_03C2A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36259 mov eax, dword ptr fs:[00000030h]2_2_03C36259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEA250 mov eax, dword ptr fs:[00000030h]2_2_03CEA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEA250 mov eax, dword ptr fs:[00000030h]2_2_03CEA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]2_2_03C34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]2_2_03C34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]2_2_03C34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2826B mov eax, dword ptr fs:[00000030h]2_2_03C2826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2823B mov eax, dword ptr fs:[00000030h]2_2_03C2823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]2_2_03CF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]2_2_03CF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D061E5 mov eax, dword ptr fs:[00000030h]2_2_03D061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C601F8 mov eax, dword ptr fs:[00000030h]2_2_03C601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C70185 mov eax, dword ptr fs:[00000030h]2_2_03C70185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]2_2_03CEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]2_2_03CEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD4180 mov eax, dword ptr fs:[00000030h]2_2_03CD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD4180 mov eax, dword ptr fs:[00000030h]2_2_03CD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]2_2_03C2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]2_2_03C2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]2_2_03C2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov ecx, dword ptr fs:[00000030h]2_2_03CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C156 mov eax, dword ptr fs:[00000030h]2_2_03C2C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC8158 mov eax, dword ptr fs:[00000030h]2_2_03CC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]2_2_03C36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]2_2_03C36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04164 mov eax, dword ptr fs:[00000030h]2_2_03D04164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04164 mov eax, dword ptr fs:[00000030h]2_2_03D04164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]2_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]2_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]2_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]2_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov ecx, dword ptr fs:[00000030h]2_2_03CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]2_2_03CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]2_2_03CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]2_2_03CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF0115 mov eax, dword ptr fs:[00000030h]2_2_03CF0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60124 mov eax, dword ptr fs:[00000030h]2_2_03C60124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB20DE mov eax, dword ptr fs:[00000030h]2_2_03CB20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03C2A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C380E9 mov eax, dword ptr fs:[00000030h]2_2_03C380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB60E0 mov eax, dword ptr fs:[00000030h]2_2_03CB60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03C2C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C720F0 mov ecx, dword ptr fs:[00000030h]2_2_03C720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3208A mov eax, dword ptr fs:[00000030h]2_2_03C3208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C280A0 mov eax, dword ptr fs:[00000030h]2_2_03C280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC80A8 mov eax, dword ptr fs:[00000030h]2_2_03CC80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF60B8 mov eax, dword ptr fs:[00000030h]2_2_03CF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03CF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32050 mov eax, dword ptr fs:[00000030h]2_2_03C32050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6050 mov eax, dword ptr fs:[00000030h]2_2_03CB6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5C073 mov eax, dword ptr fs:[00000030h]2_2_03C5C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4000 mov ecx, dword ptr fs:[00000030h]2_2_03CB4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A020 mov eax, dword ptr fs:[00000030h]2_2_03C2A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C020 mov eax, dword ptr fs:[00000030h]2_2_03C2C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6030 mov eax, dword ptr fs:[00000030h]2_2_03CC6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03C3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB07C3 mov eax, dword ptr fs:[00000030h]2_2_03CB07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]2_2_03C527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]2_2_03C527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]2_2_03C527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE7E1 mov eax, dword ptr fs:[00000030h]2_2_03CBE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]2_2_03C347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]2_2_03C347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD678E mov eax, dword ptr fs:[00000030h]2_2_03CD678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C307AF mov eax, dword ptr fs:[00000030h]2_2_03C307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE47A0 mov eax, dword ptr fs:[00000030h]2_2_03CE47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6674D mov esi, dword ptr fs:[00000030h]2_2_03C6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]2_2_03C6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]2_2_03C6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30750 mov eax, dword ptr fs:[00000030h]2_2_03C30750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE75D mov eax, dword ptr fs:[00000030h]2_2_03CBE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]2_2_03C72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]2_2_03C72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4755 mov eax, dword ptr fs:[00000030h]2_2_03CB4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38770 mov eax, dword ptr fs:[00000030h]2_2_03C38770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C700 mov eax, dword ptr fs:[00000030h]2_2_03C6C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30710 mov eax, dword ptr fs:[00000030h]2_2_03C30710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60710 mov eax, dword ptr fs:[00000030h]2_2_03C60710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]2_2_03C6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]2_2_03C6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]2_2_03C6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6273C mov ecx, dword ptr fs:[00000030h]2_2_03C6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]2_2_03C6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAC730 mov eax, dword ptr fs:[00000030h]2_2_03CAC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03C6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03C6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]2_2_03CB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]2_2_03CB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]2_2_03C34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]2_2_03C34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03C6C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C666B0 mov eax, dword ptr fs:[00000030h]2_2_03C666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4C640 mov eax, dword ptr fs:[00000030h]2_2_03C4C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]2_2_03CF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]2_2_03CF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]2_2_03C6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]2_2_03C6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C62674 mov eax, dword ptr fs:[00000030h]2_2_03C62674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE609 mov eax, dword ptr fs:[00000030h]2_2_03CAE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72619 mov eax, dword ptr fs:[00000030h]2_2_03C72619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E627 mov eax, dword ptr fs:[00000030h]2_2_03C4E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C66620 mov eax, dword ptr fs:[00000030h]2_2_03C66620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68620 mov eax, dword ptr fs:[00000030h]2_2_03C68620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3262C mov eax, dword ptr fs:[00000030h]2_2_03C3262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E5CF mov eax, dword ptr fs:[00000030h]2_2_03C6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E5CF mov eax, dword ptr fs:[00000030h]2_2_03C6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C365D0 mov eax, dword ptr fs:[00000030h]2_2_03C365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03C6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03C6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C325E0 mov eax, dword ptr fs:[00000030h]2_2_03C325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C5ED mov eax, dword ptr fs:[00000030h]2_2_03C6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C5ED mov eax, dword ptr fs:[00000030h]2_2_03C6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32582 mov eax, dword ptr fs:[00000030h]2_2_03C32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32582 mov ecx, dword ptr fs:[00000030h]2_2_03C32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C64588 mov eax, dword ptr fs:[00000030h]2_2_03C64588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E59C mov eax, dword ptr fs:[00000030h]2_2_03C6E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]2_2_03CB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]2_2_03CB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]2_2_03CB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C545B1 mov eax, dword ptr fs:[00000030h]2_2_03C545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C545B1 mov eax, dword ptr fs:[00000030h]2_2_03C545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38550 mov eax, dword ptr fs:[00000030h]2_2_03C38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38550 mov eax, dword ptr fs:[00000030h]2_2_03C38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]2_2_03C6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]2_2_03C6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]2_2_03C6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6500 mov eax, dword ptr fs:[00000030h]2_2_03CC6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C304E5 mov ecx, dword ptr fs:[00000030h]2_2_03C304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEA49A mov eax, dword ptr fs:[00000030h]2_2_03CEA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C364AB mov eax, dword ptr fs:[00000030h]2_2_03C364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C644B0 mov ecx, dword ptr fs:[00000030h]2_2_03C644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBA4B0 mov eax, dword ptr fs:[00000030h]2_2_03CBA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEA456 mov eax, dword ptr fs:[00000030h]2_2_03CEA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2645D mov eax, dword ptr fs:[00000030h]2_2_03C2645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5245A mov eax, dword ptr fs:[00000030h]2_2_03C5245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBC460 mov ecx, dword ptr fs:[00000030h]2_2_03CBC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]2_2_03C5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]2_2_03C5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]2_2_03C5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]2_2_03C68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]2_2_03C68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]2_2_03C68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]2_2_03C2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]2_2_03C2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]2_2_03C2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C427 mov eax, dword ptr fs:[00000030h]2_2_03C2C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A430 mov eax, dword ptr fs:[00000030h]2_2_03C6A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]2_2_03C50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]2_2_03C50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]2_2_03C50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]2_2_03C30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]2_2_03C30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]2_2_03C30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDEBD0 mov eax, dword ptr fs:[00000030h]2_2_03CDEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]2_2_03C38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]2_2_03C38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]2_2_03C38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5EBFC mov eax, dword ptr fs:[00000030h]2_2_03C5EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBCBF0 mov eax, dword ptr fs:[00000030h]2_2_03CBCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40BBE mov eax, dword ptr fs:[00000030h]2_2_03C40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40BBE mov eax, dword ptr fs:[00000030h]2_2_03C40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03CE4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03CE4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE4B4B mov eax, dword ptr fs:[00000030h]2_2_03CE4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE4B4B mov eax, dword ptr fs:[00000030h]2_2_03CE4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]2_2_03D02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]2_2_03D02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]2_2_03D02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]2_2_03D02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6B40 mov eax, dword ptr fs:[00000030h]2_2_03CC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6B40 mov eax, dword ptr fs:[00000030h]2_2_03CC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFAB40 mov eax, dword ptr fs:[00000030h]2_2_03CFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD8B42 mov eax, dword ptr fs:[00000030h]2_2_03CD8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28B50 mov eax, dword ptr fs:[00000030h]2_2_03C28B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDEB50 mov eax, dword ptr fs:[00000030h]2_2_03CDEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2CB7E mov eax, dword ptr fs:[00000030h]2_2_03C2CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04B00 mov eax, dword ptr fs:[00000030h]2_2_03D04B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5EB20 mov eax, dword ptr fs:[00000030h]2_2_03C5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5EB20 mov eax, dword ptr fs:[00000030h]2_2_03C5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF8B28 mov eax, dword ptr fs:[00000030h]2_2_03CF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF8B28 mov eax, dword ptr fs:[00000030h]2_2_03CF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]2_2_03C86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]2_2_03C86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]2_2_03C86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30AD0 mov eax, dword ptr fs:[00000030h]2_2_03C30AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C64AD0 mov eax, dword ptr fs:[00000030h]2_2_03C64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C64AD0 mov eax, dword ptr fs:[00000030h]2_2_03C64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6AAEE mov eax, dword ptr fs:[00000030h]2_2_03C6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6AAEE mov eax, dword ptr fs:[00000030h]2_2_03C6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04A80 mov eax, dword ptr fs:[00000030h]2_2_03D04A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68A90 mov edx, dword ptr fs:[00000030h]2_2_03C68A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38AA0 mov eax, dword ptr fs:[00000030h]2_2_03C38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38AA0 mov eax, dword ptr fs:[00000030h]2_2_03C38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C86AA4 mov eax, dword ptr fs:[00000030h]2_2_03C86AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40A5B mov eax, dword ptr fs:[00000030h]2_2_03C40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40A5B mov eax, dword ptr fs:[00000030h]2_2_03C40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]2_2_03C6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]2_2_03C6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]2_2_03C6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDEA60 mov eax, dword ptr fs:[00000030h]2_2_03CDEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CACA72 mov eax, dword ptr fs:[00000030h]2_2_03CACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CACA72 mov eax, dword ptr fs:[00000030h]2_2_03CACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBCA11 mov eax, dword ptr fs:[00000030h]2_2_03CBCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA24 mov eax, dword ptr fs:[00000030h]2_2_03C6CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5EA2E mov eax, dword ptr fs:[00000030h]2_2_03C5EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C54A35 mov eax, dword ptr fs:[00000030h]2_2_03C54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C54A35 mov eax, dword ptr fs:[00000030h]2_2_03C54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA38 mov eax, dword ptr fs:[00000030h]2_2_03C6CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC69C0 mov eax, dword ptr fs:[00000030h]2_2_03CC69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C649D0 mov eax, dword ptr fs:[00000030h]2_2_03C649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA9D3 mov eax, dword ptr fs:[00000030h]2_2_03CFA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE9E0 mov eax, dword ptr fs:[00000030h]2_2_03CBE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C629F9 mov eax, dword ptr fs:[00000030h]2_2_03C629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C629F9 mov eax, dword ptr fs:[00000030h]2_2_03C629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C309AD mov eax, dword ptr fs:[00000030h]2_2_03C309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C309AD mov eax, dword ptr fs:[00000030h]2_2_03C309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB89B3 mov esi, dword ptr fs:[00000030h]2_2_03CB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB89B3 mov eax, dword ptr fs:[00000030h]2_2_03CB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB89B3 mov eax, dword ptr fs:[00000030h]2_2_03CB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0946 mov eax, dword ptr fs:[00000030h]2_2_03CB0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04940 mov eax, dword ptr fs:[00000030h]2_2_03D04940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]2_2_03C56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]2_2_03C56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]2_2_03C56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E mov eax, dword ptr fs:[00000030h]2_2_03C7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E mov edx, dword ptr fs:[00000030h]2_2_03C7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E mov eax, dword ptr fs:[00000030h]2_2_03C7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD4978 mov eax, dword ptr fs:[00000030h]2_2_03CD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD4978 mov eax, dword ptr fs:[00000030h]2_2_03CD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBC97C mov eax, dword ptr fs:[00000030h]2_2_03CBC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE908 mov eax, dword ptr fs:[00000030h]2_2_03CAE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE908 mov eax, dword ptr fs:[00000030h]2_2_03CAE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBC912 mov eax, dword ptr fs:[00000030h]2_2_03CBC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28918 mov eax, dword ptr fs:[00000030h]2_2_03C28918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28918 mov eax, dword ptr fs:[00000030h]2_2_03C28918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB892A mov eax, dword ptr fs:[00000030h]2_2_03CB892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC892B mov eax, dword ptr fs:[00000030h]2_2_03CC892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E8C0 mov eax, dword ptr fs:[00000030h]2_2_03C5E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D008C0 mov eax, dword ptr fs:[00000030h]2_2_03D008C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA8E4 mov eax, dword ptr fs:[00000030h]2_2_03CFA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03C6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03C6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30887 mov eax, dword ptr fs:[00000030h]2_2_03C30887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBC89D mov eax, dword ptr fs:[00000030h]2_2_03CBC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C42840 mov ecx, dword ptr fs:[00000030h]2_2_03C42840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60854 mov eax, dword ptr fs:[00000030h]2_2_03C60854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34859 mov eax, dword ptr fs:[00000030h]2_2_03C34859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34859 mov eax, dword ptr fs:[00000030h]2_2_03C34859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE872 mov eax, dword ptr fs:[00000030h]2_2_03CBE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE872 mov eax, dword ptr fs:[00000030h]2_2_03CBE872
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000780A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_000780A9
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0004A124 SetUnhandledExceptionFilter,0_2_0004A124
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0004A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0004A155

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3184008Jump to behavior
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000787B1 LogonUserW,0_2_000787B1
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00023B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00023B3A
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_000248D7
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00084C27 mouse_event,0_2_00084C27
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Pb4xbhZNjF.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00077CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00077CAF
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0007874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0007874B
          Source: Pb4xbhZNjF.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: Pb4xbhZNjF.exeBinary or memory string: Shell_TrayWnd
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_0004862B cpuid 0_2_0004862B
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00054E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00054E87
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00061E06 GetUserNameW,0_2_00061E06
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00053F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00053F3A
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_000249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_000249A0

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2235039185.0000000003F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2233986614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Pb4xbhZNjF.exeBinary or memory string: WIN_81
          Source: Pb4xbhZNjF.exeBinary or memory string: WIN_XP
          Source: Pb4xbhZNjF.exeBinary or memory string: WIN_XPe
          Source: Pb4xbhZNjF.exeBinary or memory string: WIN_VISTA
          Source: Pb4xbhZNjF.exeBinary or memory string: WIN_7
          Source: Pb4xbhZNjF.exeBinary or memory string: WIN_8
          Source: Pb4xbhZNjF.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2235039185.0000000003F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2233986614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00096283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00096283
          Source: C:\Users\user\Desktop\Pb4xbhZNjF.exeCode function: 0_2_00096747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00096747

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		1
          Native API          		2
          Valid Accounts          		2
          Valid Accounts          		2
          Valid Accounts          		21
          Input Capture          		2
          System Time Discovery          		Remote Services21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		LSASS Memory15
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
          Access Token Manipulation          		2
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares3
          Clipboard Data          		SteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook212
          Process Injection          		21
          Access Token Manipulation          		NTDS3
          Process Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          DLL Side-Loading          		212
          Process Injection          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials1
          Account Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Obfuscated Files or Information          		DCSync1
          System Owner/User Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc Filesystem1
          File and Directory Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow115
          System Information Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Pb4xbhZNjF.exe60%VirustotalBrowse
          Pb4xbhZNjF.exe68%ReversingLabsWin32.Trojan.AutoitInject
          Pb4xbhZNjF.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          fp2e7a.wpc.phicdn.net
          		192.229.221.95
          		truefalse
            		high

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1588556
            Start date and time:2025-01-11 02:21:11 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 4m 54s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:3
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:Pb4xbhZNjF.exe
            renamed because original name is a hash value
            Original Sample Name:8926f99da65ad1172fa67c51df4c0a72cb1c5630e90a6f408bfa20b399596eb8.exe
            Detection:MAL
            Classification:mal80.troj.evad.winEXE@3/2@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 97%
            • Number of executed functions: 51
            • Number of non-executed functions: 276
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Stop behavior analysis, all processes terminated

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe
            • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ocsp.edge.digicert.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
            • Report size exceeded maximum capacity and may have missing disassembly code.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            20:22:13API Interceptor3x Sleep call for process: svchost.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            fp2e7a.wpc.phicdn.net229242754773566299.jsGet hashmaliciousStrela DownloaderBrowse
            • 192.229.221.95
            GhwFStoMJX.exeGet hashmaliciousUnknownBrowse
            • 192.229.221.95
            AudioCodesAppSuite.exeGet hashmaliciousUnknownBrowse
            • 192.229.221.95
            launcher.exe.bin.exeGet hashmaliciousPureLog Stealer, Xmrig, zgRATBrowse
            • 192.229.221.95
            Shipping Document.exeGet hashmaliciousFormBook, PureLog StealerBrowse
            • 192.229.221.95
            https://marcuso-wq.github.io/home/Get hashmaliciousHTMLPhisherBrowse
            • 192.229.221.95
            1.pngGet hashmaliciousUnknownBrowse
            • 192.229.221.95
            atomxml.ps1Get hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
            • 192.229.221.95
            TR98760H.exeGet hashmaliciousAgentTeslaBrowse
            • 192.229.221.95
            Payment-Order #24560274 for 8,380 USD.exeGet hashmaliciousXWormBrowse
            • 192.229.221.95

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\aut8034.tmp

            Download File
            Process:C:\Users\user\Desktop\Pb4xbhZNjF.exe
            File Type:data
            Category:dropped
            Size (bytes):288768
            Entropy (8bit):7.992384338005211
            Encrypted:true
            SSDEEP:6144:JgbkpWDLFjRRvL1aAuELj57baKcEyigAVvfi9lyZSlddO3T0/MGT:JgbkpWHFla5E/57Ph72QZqe3T0/1
            MD5:013DDB69174476F3EC00810818ABDE44
            SHA1:879699D8BD33DEF25C2111A565A4F5FC604E368F
            SHA-256:AC792F97A698DD3383560B55A48D352B601F1AF15A6E01E09A4E70861D406A47
            SHA-512:E53FD3BDE3DEC29F4B35F02280196E16CE8BF78E52A0DC17399EE527E6538F8C68661AA0BF1E4CEEBD59F5C02432105563828EE796E302643547BD225DA2D360
            Malicious:false
            Reputation:low
            Preview:...P5LUQFGIX..QP.LUQBGIX.AQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIX.AQP8S._B.@.y.P..m.9+4i(*.6"W!u2#)'7,a35.> ?b.'x...p[#14lJDR|AQP6LUQ;F@.e!6..,2..'..B....,2.X..d!6.,...~'...(28.,2.BGIXXAQPf.UQ.FHX_..6LUQBGIX.ASQ=M^QB.MXXAQP6LUQ.TIXXQQP6<QQBG.XXQQP6NUQDGIXXAQP0LUQBGIXX1UP6NUQBGIXZA..6LEQBWIXXAAP6\UQBGIXHAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXv54(BLUQ..MXXQQP6.QQBWIXXAQP6LUQBGIXxAQ06LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP

            C:\Users\user\AppData\Local\Temp\savager

            Download File
            Process:C:\Users\user\Desktop\Pb4xbhZNjF.exe
            File Type:data
            Category:dropped
            Size (bytes):288768
            Entropy (8bit):7.992384338005211
            Encrypted:true
            SSDEEP:6144:JgbkpWDLFjRRvL1aAuELj57baKcEyigAVvfi9lyZSlddO3T0/MGT:JgbkpWHFla5E/57Ph72QZqe3T0/1
            MD5:013DDB69174476F3EC00810818ABDE44
            SHA1:879699D8BD33DEF25C2111A565A4F5FC604E368F
            SHA-256:AC792F97A698DD3383560B55A48D352B601F1AF15A6E01E09A4E70861D406A47
            SHA-512:E53FD3BDE3DEC29F4B35F02280196E16CE8BF78E52A0DC17399EE527E6538F8C68661AA0BF1E4CEEBD59F5C02432105563828EE796E302643547BD225DA2D360
            Malicious:false
            Reputation:low
            Preview:...P5LUQFGIX..QP.LUQBGIX.AQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIX.AQP8S._B.@.y.P..m.9+4i(*.6"W!u2#)'7,a35.> ?b.'x...p[#14lJDR|AQP6LUQ;F@.e!6..,2..'..B....,2.X..d!6.,...~'...(28.,2.BGIXXAQPf.UQ.FHX_..6LUQBGIX.ASQ=M^QB.MXXAQP6LUQ.TIXXQQP6<QQBG.XXQQP6NUQDGIXXAQP0LUQBGIXX1UP6NUQBGIXZA..6LEQBWIXXAAP6\UQBGIXHAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXv54(BLUQ..MXXQQP6.QQBWIXXAQP6LUQBGIXxAQ06LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP6LUQBGIXXAQP

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.2086907622039975
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:Pb4xbhZNjF.exe
            File size:1'226'752 bytes
            MD5:05340c957a5dab58667cb27b36cb08aa
            SHA1:841f7a9995df5e073aebefdd17c2a86f1e5b8f32
            SHA256:8926f99da65ad1172fa67c51df4c0a72cb1c5630e90a6f408bfa20b399596eb8
            SHA512:b1f6d4b09b666bda2b47f240416f41f08df6ffc4dd08a6a890e7b6b7c24d9d196aa3c8b5aa52dd20684de4844bca085281f07f12d6c52b364699ed80ff68f75e
            SSDEEP:24576:Ku6J33O0c+JY5UZ+XC0kGso6Faa0cwdq5G1Fqotug+WY:8u0c++OCvkGs9Faavqq5G1FYYY
            TLSH:E245CF2273DEC360CB669173BF69B7016EBF3C610630B95B2F980D7DA950162162D7A3
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

            File Icon

            Icon Hash:aaf3e3e3938382a0

            Static PE Info

            General

            Entrypoint:0x427dcd
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
            Time Stamp:0x67529E3E [Fri Dec 6 06:48:30 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:afcdf79be1557326c854b6e20cb900a7

            Entrypoint Preview

            Instruction
            call 00007F8FE8C7606Ah
            jmp 00007F8FE8C68E34h
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            push edi
            push esi
            mov esi, dword ptr [esp+10h]
            mov ecx, dword ptr [esp+14h]
            mov edi, dword ptr [esp+0Ch]
            mov eax, ecx
            mov edx, ecx
            add eax, esi
            cmp edi, esi
            jbe 00007F8FE8C68FBAh
            cmp edi, eax
            jc 00007F8FE8C6931Eh
            bt dword ptr [004C31FCh], 01h
            jnc 00007F8FE8C68FB9h
            rep movsb
            jmp 00007F8FE8C692CCh
            cmp ecx, 00000080h
            jc 00007F8FE8C69184h
            mov eax, edi
            xor eax, esi
            test eax, 0000000Fh
            jne 00007F8FE8C68FC0h
            bt dword ptr [004BE324h], 01h
            jc 00007F8FE8C69490h
            bt dword ptr [004C31FCh], 00000000h
            jnc 00007F8FE8C6915Dh
            test edi, 00000003h
            jne 00007F8FE8C6916Eh
            test esi, 00000003h
            jne 00007F8FE8C6914Dh
            bt edi, 02h
            jnc 00007F8FE8C68FBFh
            mov eax, dword ptr [esi]
            sub ecx, 04h
            lea esi, dword ptr [esi+04h]
            mov dword ptr [edi], eax
            lea edi, dword ptr [edi+04h]
            bt edi, 03h
            jnc 00007F8FE8C68FC3h
            movq xmm1, qword ptr [esi]
            sub ecx, 08h
            lea esi, dword ptr [esi+08h]
            movq qword ptr [edi], xmm1
            lea edi, dword ptr [edi+08h]
            test esi, 00000007h
            je 00007F8FE8C69015h
            bt esi, 03h
            jnc 00007F8FE8C69068h

            Rich Headers

            Programming Language:
            • [ASM] VS2013 build 21005
            • [ C ] VS2013 build 21005
            • [C++] VS2013 build 21005
            • [ C ] VS2008 SP1 build 30729
            • [IMP] VS2008 SP1 build 30729
            • [ASM] VS2013 UPD4 build 31101
            • [RES] VS2013 build 21005
            • [LNK] VS2013 UPD4 build 31101

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x62f4c.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x12a0000x711c.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0xc70000x62f4c0x630009b3e0fb54a69680c7233bd7cd4e6c530False0.9338452888257576data7.906829158110574IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x12a0000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
            RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
            RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
            RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
            RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
            RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
            RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
            RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
            RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
            RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
            RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
            RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
            RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
            RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
            RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
            RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
            RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
            RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
            RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
            RT_RCDATA0xcf7b80x5a213data1.0003277613897084
            RT_GROUP_ICON0x1299cc0x76dataEnglishGreat Britain0.6610169491525424
            RT_GROUP_ICON0x129a440x14dataEnglishGreat Britain1.25
            RT_GROUP_ICON0x129a580x14dataEnglishGreat Britain1.15
            RT_GROUP_ICON0x129a6c0x14dataEnglishGreat Britain1.25
            RT_VERSION0x129a800xdcdataEnglishGreat Britain0.6181818181818182
            RT_MANIFEST0x129b5c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

            Imports

            DLLImport
            WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
            VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
            WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
            PSAPI.DLLGetProcessMemoryInfo
            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
            USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
            UxTheme.dllIsThemeActive
            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
            USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
            GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
            COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
            OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishGreat Britain

            Network Behavior

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Jan 11, 2025 02:22:22.350219011 CET1.1.1.1192.168.2.60x1695No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
            Jan 11, 2025 02:22:22.350219011 CET1.1.1.1192.168.2.60x1695No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:20:22:06
            Start date:10/01/2025
            Path:C:\Users\user\Desktop\Pb4xbhZNjF.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\Pb4xbhZNjF.exe"
            Imagebase:0x20000
            File size:1'226'752 bytes
            MD5 hash:05340C957A5DAB58667CB27B36CB08AA
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:20:22:11
            Start date:10/01/2025
            Path:C:\Windows\SysWOW64\svchost.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\Pb4xbhZNjF.exe"
            Imagebase:0xb40000
            File size:46'504 bytes
            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2235039185.0000000003F50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2233986614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:3.9%
              Dynamic/Decrypted Code Coverage:0.4%
              Signature Coverage:8.9%
              Total number of Nodes:2000
              Total number of Limit Nodes:60
              execution_graph 101068 23633 101069 2366a 101068->101069 101070 236e7 101069->101070 101071 23688 101069->101071 101108 236e5 101069->101108 101075 5d0cc 101070->101075 101076 236ed 101070->101076 101072 23695 101071->101072 101073 2374b PostQuitMessage 101071->101073 101078 5d154 101072->101078 101079 236a0 101072->101079 101100 236d8 101073->101100 101074 236ca DefWindowProcW 101074->101100 101123 31070 10 API calls Mailbox 101075->101123 101080 236f2 101076->101080 101081 23715 SetTimer RegisterWindowMessageW 101076->101081 101139 82527 71 API calls _memset 101078->101139 101083 23755 101079->101083 101084 236a8 101079->101084 101087 5d06f 101080->101087 101088 236f9 KillTimer 101080->101088 101085 2373e CreatePopupMenu 101081->101085 101081->101100 101082 5d0f3 101124 31093 331 API calls Mailbox 101082->101124 101113 244a0 101083->101113 101091 236b3 101084->101091 101092 5d139 101084->101092 101085->101100 101095 5d074 101087->101095 101096 5d0a8 MoveWindow 101087->101096 101120 2443a Shell_NotifyIconW _memset 101088->101120 101098 236be 101091->101098 101099 5d124 101091->101099 101092->101074 101138 77c36 59 API calls Mailbox 101092->101138 101093 5d166 101093->101074 101093->101100 101101 5d097 SetFocus 101095->101101 101102 5d078 101095->101102 101096->101100 101097 2370c 101121 23114 DeleteObject DestroyWindow Mailbox 101097->101121 101098->101074 101125 2443a Shell_NotifyIconW _memset 101098->101125 101137 82d36 81 API calls _memset 101099->101137 101101->101100 101102->101098 101105 5d081 101102->101105 101122 31070 10 API calls Mailbox 101105->101122 101107 5d134 101107->101100 101108->101074 101111 5d118 101126 2434a 101111->101126 101114 244b7 _memset 101113->101114 101115 24539 101113->101115 101140 2407c 101114->101140 101115->101100 101117 24522 KillTimer SetTimer 101117->101115 101118 244de 101118->101117 101119 5d4ab Shell_NotifyIconW 101118->101119 101119->101117 101120->101097 101121->101100 101122->101100 101123->101082 101124->101098 101125->101111 101127 24375 _memset 101126->101127 101259 24182 101127->101259 101131 24430 Shell_NotifyIconW 101134 24422 101131->101134 101132 24414 Shell_NotifyIconW 101132->101134 101133 243fa 101133->101131 101133->101132 101135 2407c 61 API calls 101134->101135 101136 24429 101135->101136 101136->101108 101137->101107 101138->101108 101139->101093 101141 24098 101140->101141 101142 2416f Mailbox 101140->101142 101162 27a16 101141->101162 101142->101118 101145 240b3 101167 27bcc 101145->101167 101146 5d3c8 LoadStringW 101149 5d3e2 101146->101149 101148 240c8 101148->101149 101150 240d9 101148->101150 101151 27b2e 59 API calls 101149->101151 101152 240e3 101150->101152 101153 24174 101150->101153 101156 5d3ec 101151->101156 101176 27b2e 101152->101176 101185 28047 101153->101185 101158 240ed _memset _wcscpy 101156->101158 101189 27cab 101156->101189 101160 24155 Shell_NotifyIconW 101158->101160 101159 5d40e 101161 27cab 59 API calls 101159->101161 101160->101142 101161->101158 101196 40db6 101162->101196 101164 27a3b 101206 28029 101164->101206 101168 27c45 101167->101168 101169 27bd8 __wsetenvp 101167->101169 101238 27d2c 101168->101238 101171 27c13 101169->101171 101172 27bee 101169->101172 101174 28029 59 API calls 101171->101174 101237 27f27 59 API calls Mailbox 101172->101237 101175 27bf6 _memmove 101174->101175 101175->101148 101177 27b40 101176->101177 101178 5ec6b 101176->101178 101246 27a51 101177->101246 101252 77bdb 59 API calls _memmove 101178->101252 101181 27b4c 101181->101158 101182 5ec75 101183 28047 59 API calls 101182->101183 101184 5ec7d Mailbox 101183->101184 101186 28052 101185->101186 101187 2805a 101185->101187 101253 27f77 59 API calls 2 library calls 101186->101253 101187->101158 101190 27cbf 101189->101190 101191 5ed4a 101189->101191 101254 27c50 101190->101254 101193 28029 59 API calls 101191->101193 101195 5ed55 __wsetenvp _memmove 101193->101195 101194 27cca 101194->101159 101198 40dbe 101196->101198 101199 40dd8 101198->101199 101201 40ddc std::exception::exception 101198->101201 101209 4571c 101198->101209 101226 433a1 DecodePointer 101198->101226 101199->101164 101227 4859b RaiseException 101201->101227 101203 40e06 101228 484d1 58 API calls _free 101203->101228 101205 40e18 101205->101164 101207 40db6 Mailbox 59 API calls 101206->101207 101208 240a6 101207->101208 101208->101145 101208->101146 101210 45797 101209->101210 101219 45728 101209->101219 101235 433a1 DecodePointer 101210->101235 101212 45733 101212->101219 101229 4a16b 58 API calls __NMSG_WRITE 101212->101229 101230 4a1c8 58 API calls 7 library calls 101212->101230 101231 4309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101212->101231 101213 4579d 101236 48b28 58 API calls __getptd_noexit 101213->101236 101216 4575b RtlAllocateHeap 101217 4578f 101216->101217 101216->101219 101217->101198 101219->101212 101219->101216 101220 45783 101219->101220 101224 45781 101219->101224 101232 433a1 DecodePointer 101219->101232 101233 48b28 58 API calls __getptd_noexit 101220->101233 101234 48b28 58 API calls __getptd_noexit 101224->101234 101226->101198 101227->101203 101228->101205 101229->101212 101230->101212 101232->101219 101233->101224 101234->101217 101235->101213 101236->101217 101237->101175 101239 27d43 _memmove 101238->101239 101240 27d3a 101238->101240 101239->101175 101240->101239 101242 27e4f 101240->101242 101243 27e62 101242->101243 101245 27e5f _memmove 101242->101245 101244 40db6 Mailbox 59 API calls 101243->101244 101244->101245 101245->101239 101247 27a5f 101246->101247 101248 27a85 _memmove 101246->101248 101247->101248 101249 40db6 Mailbox 59 API calls 101247->101249 101248->101181 101250 27ad4 101249->101250 101251 40db6 Mailbox 59 API calls 101250->101251 101251->101248 101252->101182 101253->101187 101255 27c5f __wsetenvp 101254->101255 101256 28029 59 API calls 101255->101256 101257 27c70 _memmove 101255->101257 101258 5ed07 _memmove 101256->101258 101257->101194 101260 24196 101259->101260 101261 5d423 101259->101261 101260->101133 101263 82f94 62 API calls _W_store_winword 101260->101263 101261->101260 101262 5d42c DestroyIcon 101261->101262 101262->101260 101263->101133 101264 5fe27 101277 3f944 101264->101277 101266 5fe3d 101267 5fe53 101266->101267 101268 5febe 101266->101268 101366 29e5d 60 API calls 101267->101366 101286 2fce0 101268->101286 101270 5fe92 101271 6089c 101270->101271 101272 5fe9a 101270->101272 101368 89e4a 89 API calls 4 library calls 101271->101368 101367 8834f 59 API calls Mailbox 101272->101367 101276 5feb2 Mailbox 101278 3f962 101277->101278 101279 3f950 101277->101279 101281 3f991 101278->101281 101282 3f968 101278->101282 101369 29d3c 101279->101369 101283 29d3c 60 API calls 101281->101283 101284 40db6 Mailbox 59 API calls 101282->101284 101285 3f95a 101283->101285 101284->101285 101285->101266 101384 28180 101286->101384 101288 2fd3d 101289 6472d 101288->101289 101350 306f6 101288->101350 101389 2f234 101288->101389 101520 89e4a 89 API calls 4 library calls 101289->101520 101293 6488d 101297 2fe4c 101293->101297 101345 64742 101293->101345 101526 9a2d9 85 API calls Mailbox 101293->101526 101294 64b53 101294->101345 101545 89e4a 89 API calls 4 library calls 101294->101545 101295 2fe3e 101295->101293 101295->101297 101524 766ec 59 API calls 2 library calls 101295->101524 101296 30517 101304 40db6 Mailbox 59 API calls 101296->101304 101297->101294 101306 648f9 101297->101306 101393 2837c 101297->101393 101298 647d7 101298->101345 101522 89e4a 89 API calls 4 library calls 101298->101522 101301 40db6 59 API calls Mailbox 101330 2fdd3 101301->101330 101312 30545 _memmove 101304->101312 101305 64848 101525 760ef 59 API calls 2 library calls 101305->101525 101313 64917 101306->101313 101528 285c0 101306->101528 101310 64755 101310->101298 101521 2f6a3 331 API calls 101310->101521 101323 40db6 Mailbox 59 API calls 101312->101323 101319 64928 101313->101319 101320 285c0 59 API calls 101313->101320 101314 2fea4 101321 64ad6 101314->101321 101322 2ff32 101314->101322 101328 30179 Mailbox _memmove 101314->101328 101315 6486b 101317 29ea0 331 API calls 101315->101317 101316 648b2 Mailbox 101316->101297 101527 766ec 59 API calls 2 library calls 101316->101527 101317->101293 101319->101328 101536 760ab 59 API calls Mailbox 101319->101536 101320->101319 101544 89ae7 60 API calls 101321->101544 101325 40db6 Mailbox 59 API calls 101322->101325 101329 30106 _memmove 101323->101329 101331 2ff39 101325->101331 101344 64ab2 101328->101344 101348 29d3c 60 API calls 101328->101348 101328->101350 101352 30398 101328->101352 101353 40db6 59 API calls Mailbox 101328->101353 101359 64a1c 101328->101359 101364 64a4d 101328->101364 101488 28740 68 API calls __cinit 101328->101488 101489 28660 68 API calls 101328->101489 101537 85937 68 API calls 101328->101537 101538 289b3 69 API calls Mailbox 101328->101538 101329->101328 101365 30162 101329->101365 101514 29c90 101329->101514 101330->101295 101330->101296 101330->101301 101330->101310 101330->101312 101338 6480c 101330->101338 101330->101345 101490 29ea0 101330->101490 101331->101350 101400 309d0 101331->101400 101333 29ea0 331 API calls 101335 64a87 101333->101335 101335->101345 101539 284c0 101335->101539 101523 89e4a 89 API calls 4 library calls 101338->101523 101339 2ffb2 101339->101312 101343 2ffe6 101339->101343 101339->101350 101349 28047 59 API calls 101343->101349 101351 30007 101343->101351 101543 89e4a 89 API calls 4 library calls 101344->101543 101348->101328 101349->101351 101519 89e4a 89 API calls 4 library calls 101350->101519 101351->101350 101354 64b24 101351->101354 101356 3004c 101351->101356 101352->101276 101353->101328 101355 29d3c 60 API calls 101354->101355 101355->101294 101356->101294 101356->101350 101357 300d8 101356->101357 101358 29d3c 60 API calls 101357->101358 101360 300eb 101358->101360 101362 40db6 Mailbox 59 API calls 101359->101362 101360->101350 101477 282df 101360->101477 101362->101364 101364->101333 101365->101276 101366->101270 101367->101276 101368->101276 101370 29d4a 101369->101370 101380 29d78 Mailbox 101369->101380 101371 29d9d 101370->101371 101374 29d50 Mailbox 101370->101374 101372 28047 59 API calls 101371->101372 101372->101380 101373 29d64 101375 29d6f 101373->101375 101376 29dcc 101373->101376 101373->101380 101374->101373 101379 5fa0f 101374->101379 101378 5f9e6 VariantClear 101375->101378 101375->101380 101376->101380 101382 28cd4 59 API calls Mailbox 101376->101382 101378->101380 101379->101380 101383 76e8f 59 API calls 101379->101383 101380->101285 101382->101380 101383->101380 101385 2818f 101384->101385 101388 281aa 101384->101388 101386 27e4f 59 API calls 101385->101386 101387 28197 CharUpperBuffW 101386->101387 101387->101388 101388->101288 101390 2f251 101389->101390 101391 2f272 101390->101391 101546 89e4a 89 API calls 4 library calls 101390->101546 101391->101330 101394 5edbd 101393->101394 101395 2838d 101393->101395 101396 40db6 Mailbox 59 API calls 101395->101396 101397 28394 101396->101397 101398 283b5 101397->101398 101547 28634 59 API calls Mailbox 101397->101547 101398->101306 101398->101314 101401 64cc3 101400->101401 101415 309f5 101400->101415 101607 89e4a 89 API calls 4 library calls 101401->101607 101403 30cfa 101403->101339 101406 30ee4 101406->101403 101408 30ef1 101406->101408 101407 30a4b PeekMessageW 101440 30a05 Mailbox 101407->101440 101605 31093 331 API calls Mailbox 101408->101605 101410 30ef8 LockWindowUpdate DestroyWindow GetMessageW 101410->101403 101413 30f2a 101410->101413 101412 64e81 Sleep 101412->101440 101416 65c58 TranslateMessage DispatchMessageW GetMessageW 101413->101416 101414 30ce4 101414->101403 101604 31070 10 API calls Mailbox 101414->101604 101415->101440 101608 29e5d 60 API calls 101415->101608 101609 76349 331 API calls 101415->101609 101416->101416 101418 65c88 101416->101418 101418->101403 101419 64d50 TranslateAcceleratorW 101420 30e43 PeekMessageW 101419->101420 101419->101440 101420->101440 101421 30ea5 TranslateMessage DispatchMessageW 101421->101420 101422 30d13 timeGetTime 101422->101440 101423 6581f WaitForSingleObject 101425 6583c GetExitCodeProcess CloseHandle 101423->101425 101423->101440 101461 30f95 101425->101461 101426 30e5f Sleep 101455 30e70 Mailbox 101426->101455 101427 28047 59 API calls 101427->101440 101429 40db6 59 API calls Mailbox 101429->101440 101430 65af8 Sleep 101430->101455 101433 4049f timeGetTime 101433->101455 101434 30f4e timeGetTime 101606 29e5d 60 API calls 101434->101606 101438 65b8f GetExitCodeProcess 101444 65ba5 WaitForSingleObject 101438->101444 101445 65bbb CloseHandle 101438->101445 101440->101407 101440->101412 101440->101414 101440->101419 101440->101420 101440->101421 101440->101422 101440->101423 101440->101426 101440->101427 101440->101429 101440->101430 101440->101434 101446 29e5d 60 API calls 101440->101446 101440->101455 101457 29ea0 304 API calls 101440->101457 101458 2fce0 304 API calls 101440->101458 101440->101461 101464 89e4a 89 API calls 101440->101464 101465 29c90 59 API calls Mailbox 101440->101465 101466 2b73c 304 API calls 101440->101466 101467 282df 59 API calls 101440->101467 101468 284c0 69 API calls 101440->101468 101469 7617e 59 API calls Mailbox 101440->101469 101470 655d5 VariantClear 101440->101470 101471 76e8f 59 API calls 101440->101471 101472 6566b VariantClear 101440->101472 101473 65419 VariantClear 101440->101473 101474 28cd4 59 API calls Mailbox 101440->101474 101475 27de1 59 API calls 101440->101475 101476 289b3 69 API calls 101440->101476 101548 2e6a0 101440->101548 101579 2f460 101440->101579 101598 231ce 101440->101598 101603 2e420 331 API calls 101440->101603 101610 a6018 59 API calls 101440->101610 101611 89a15 59 API calls Mailbox 101440->101611 101612 7d4f2 59 API calls 101440->101612 101613 29837 101440->101613 101631 760ef 59 API calls 2 library calls 101440->101631 101632 28401 59 API calls 101440->101632 101442 a5f25 110 API calls 101442->101455 101443 2b7dd 109 API calls 101443->101455 101444->101440 101444->101445 101445->101455 101446->101440 101447 65874 101447->101461 101448 65c17 Sleep 101448->101440 101449 65078 Sleep 101449->101440 101455->101433 101455->101438 101455->101440 101455->101442 101455->101443 101455->101447 101455->101448 101455->101449 101455->101461 101633 27667 101455->101633 101638 82408 60 API calls 101455->101638 101639 29e5d 60 API calls 101455->101639 101640 27de1 101455->101640 101644 289b3 69 API calls Mailbox 101455->101644 101645 2b73c 331 API calls 101455->101645 101646 764da 60 API calls 101455->101646 101647 85244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 101455->101647 101648 83c55 66 API calls Mailbox 101455->101648 101457->101440 101458->101440 101461->101339 101464->101440 101465->101440 101466->101440 101467->101440 101468->101440 101469->101440 101470->101440 101471->101440 101472->101440 101473->101440 101474->101440 101475->101440 101476->101440 101478 5eda1 101477->101478 101481 282f2 101477->101481 101479 5edb1 101478->101479 102664 761a4 59 API calls 101478->102664 101482 2831c 101481->101482 101483 285c0 59 API calls 101481->101483 101487 28339 Mailbox 101481->101487 101484 28322 101482->101484 101485 285c0 59 API calls 101482->101485 101483->101482 101486 29c90 Mailbox 59 API calls 101484->101486 101484->101487 101485->101484 101486->101487 101487->101329 101488->101328 101489->101328 101491 29ebf 101490->101491 101507 29eed Mailbox 101490->101507 101492 40db6 Mailbox 59 API calls 101491->101492 101492->101507 101493 2b475 101494 28047 59 API calls 101493->101494 101504 2a057 101494->101504 101495 2b47a 101496 609e5 101495->101496 101497 60055 101495->101497 102685 89e4a 89 API calls 4 library calls 101496->102685 102682 89e4a 89 API calls 4 library calls 101497->102682 101498 27667 59 API calls 101498->101507 101502 60064 101502->101330 101503 40db6 59 API calls Mailbox 101503->101507 101504->101330 101506 28047 59 API calls 101506->101507 101507->101493 101507->101495 101507->101497 101507->101498 101507->101503 101507->101504 101507->101506 101509 76e8f 59 API calls 101507->101509 101510 42d40 67 API calls __cinit 101507->101510 101511 609d6 101507->101511 101513 2a55a 101507->101513 102665 2b900 101507->102665 102681 2c8c0 331 API calls 2 library calls 101507->102681 101509->101507 101510->101507 102684 89e4a 89 API calls 4 library calls 101511->102684 102683 89e4a 89 API calls 4 library calls 101513->102683 101516 29c9b 101514->101516 101515 29cd2 101515->101329 101516->101515 102691 28cd4 59 API calls Mailbox 101516->102691 101518 29cfd 101518->101329 101519->101289 101520->101345 101521->101298 101522->101345 101523->101345 101524->101305 101525->101315 101526->101316 101527->101316 101529 285ce 101528->101529 101535 285f6 101528->101535 101530 285dc 101529->101530 101531 285c0 59 API calls 101529->101531 101532 285e2 101530->101532 101533 285c0 59 API calls 101530->101533 101531->101530 101534 29c90 Mailbox 59 API calls 101532->101534 101532->101535 101533->101532 101534->101535 101535->101313 101536->101328 101537->101328 101538->101328 101540 284cb 101539->101540 101542 284f2 101540->101542 102692 289b3 69 API calls Mailbox 101540->102692 101542->101344 101543->101345 101544->101343 101545->101345 101546->101391 101547->101398 101549 2e6d5 101548->101549 101550 63aa9 101549->101550 101553 2e73f 101549->101553 101563 2e799 101549->101563 101551 29ea0 331 API calls 101550->101551 101552 63abe 101551->101552 101565 2e970 Mailbox 101552->101565 101650 89e4a 89 API calls 4 library calls 101552->101650 101555 27667 59 API calls 101553->101555 101553->101563 101554 27667 59 API calls 101554->101563 101557 63b04 101555->101557 101651 42d40 101557->101651 101558 42d40 __cinit 67 API calls 101558->101563 101559 2ea78 101559->101440 101561 63b26 101561->101440 101562 284c0 69 API calls 101562->101565 101563->101554 101563->101558 101563->101561 101564 2e95a 101563->101564 101563->101565 101564->101565 101654 89e4a 89 API calls 4 library calls 101564->101654 101565->101559 101565->101562 101566 29ea0 331 API calls 101565->101566 101569 2f195 101565->101569 101570 29c90 Mailbox 59 API calls 101565->101570 101571 89e4a 89 API calls 101565->101571 101575 28d40 59 API calls 101565->101575 101649 27f77 59 API calls 2 library calls 101565->101649 101655 76e8f 59 API calls 101565->101655 101656 9c5c3 331 API calls 101565->101656 101657 9b53c 331 API calls Mailbox 101565->101657 101659 993c6 331 API calls Mailbox 101565->101659 101566->101565 101658 89e4a 89 API calls 4 library calls 101569->101658 101570->101565 101571->101565 101575->101565 101578 63e25 101578->101440 101580 2f650 101579->101580 101581 2f4ba 101579->101581 101584 27de1 59 API calls 101580->101584 101582 2f4c6 101581->101582 101583 6441e 101581->101583 101836 2f290 331 API calls 2 library calls 101582->101836 101837 9bc6b 101583->101837 101590 2f58c Mailbox 101584->101590 101587 6442c 101591 2f630 101587->101591 101877 89e4a 89 API calls 4 library calls 101587->101877 101589 2f4fd 101589->101587 101589->101590 101589->101591 101738 9445a 101590->101738 101747 83c37 101590->101747 101750 24e4a 101590->101750 101756 8cb7a 101590->101756 101591->101440 101592 29c90 Mailbox 59 API calls 101593 2f5e3 101592->101593 101593->101591 101593->101592 101599 23212 101598->101599 101601 231e0 101598->101601 101599->101440 101600 23205 IsDialogMessageW 101600->101599 101600->101601 101601->101599 101601->101600 101602 5cf32 GetClassLongW 101601->101602 101602->101600 101602->101601 101603->101440 101604->101406 101605->101410 101606->101440 101607->101415 101608->101415 101609->101415 101610->101440 101611->101440 101612->101440 101614 29851 101613->101614 101615 2984b 101613->101615 101616 5f5d3 __i64tow 101614->101616 101617 29899 101614->101617 101618 29857 __itow 101614->101618 101622 5f4da 101614->101622 101615->101440 102662 43698 83 API calls 2 library calls 101617->102662 101621 40db6 Mailbox 59 API calls 101618->101621 101623 29871 101621->101623 101624 40db6 Mailbox 59 API calls 101622->101624 101629 5f552 Mailbox _wcscpy 101622->101629 101623->101615 101625 27de1 59 API calls 101623->101625 101626 5f51f 101624->101626 101625->101615 101627 40db6 Mailbox 59 API calls 101626->101627 101628 5f545 101627->101628 101628->101629 101630 27de1 59 API calls 101628->101630 102663 43698 83 API calls 2 library calls 101629->102663 101630->101629 101631->101440 101632->101440 101634 40db6 Mailbox 59 API calls 101633->101634 101635 27688 101634->101635 101636 40db6 Mailbox 59 API calls 101635->101636 101637 27696 101636->101637 101637->101455 101638->101455 101639->101455 101641 27df0 __wsetenvp _memmove 101640->101641 101642 40db6 Mailbox 59 API calls 101641->101642 101643 27e2e 101642->101643 101643->101455 101644->101455 101645->101455 101646->101455 101647->101455 101648->101455 101649->101565 101650->101565 101660 42c44 101651->101660 101653 42d4b 101653->101563 101654->101565 101655->101565 101656->101565 101657->101565 101658->101578 101659->101565 101661 42c50 __alloc_osfhnd 101660->101661 101668 43217 101661->101668 101667 42c77 __alloc_osfhnd 101667->101653 101685 49c0b 101668->101685 101670 42c59 101671 42c88 DecodePointer DecodePointer 101670->101671 101672 42cb5 101671->101672 101673 42c65 101671->101673 101672->101673 101731 487a4 59 API calls __woutput_l 101672->101731 101682 42c82 101673->101682 101675 42d18 EncodePointer EncodePointer 101675->101673 101676 42cc7 101676->101675 101677 42cec 101676->101677 101732 48864 61 API calls 2 library calls 101676->101732 101677->101673 101680 42d06 EncodePointer 101677->101680 101733 48864 61 API calls 2 library calls 101677->101733 101680->101675 101681 42d00 101681->101673 101681->101680 101734 43220 101682->101734 101686 49c1c 101685->101686 101687 49c2f EnterCriticalSection 101685->101687 101692 49c93 101686->101692 101687->101670 101689 49c22 101689->101687 101716 430b5 58 API calls 3 library calls 101689->101716 101693 49c9f __alloc_osfhnd 101692->101693 101694 49cc0 101693->101694 101695 49ca8 101693->101695 101703 49ce1 __alloc_osfhnd 101694->101703 101720 4881d 58 API calls __malloc_crt 101694->101720 101717 4a16b 58 API calls __NMSG_WRITE 101695->101717 101697 49cad 101718 4a1c8 58 API calls 7 library calls 101697->101718 101700 49cd5 101701 49cdc 101700->101701 101702 49ceb 101700->101702 101721 48b28 58 API calls __getptd_noexit 101701->101721 101706 49c0b __lock 58 API calls 101702->101706 101703->101689 101704 49cb4 101719 4309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101704->101719 101708 49cf2 101706->101708 101710 49d17 101708->101710 101711 49cff 101708->101711 101723 42d55 101710->101723 101722 49e2b InitializeCriticalSectionAndSpinCount 101711->101722 101714 49d0b 101729 49d33 LeaveCriticalSection _doexit 101714->101729 101717->101697 101718->101704 101720->101700 101721->101703 101722->101714 101724 42d5e RtlFreeHeap 101723->101724 101725 42d87 _free 101723->101725 101724->101725 101726 42d73 101724->101726 101725->101714 101730 48b28 58 API calls __getptd_noexit 101726->101730 101728 42d79 GetLastError 101728->101725 101729->101703 101730->101728 101731->101676 101732->101677 101733->101681 101737 49d75 LeaveCriticalSection 101734->101737 101736 42c87 101736->101667 101737->101736 101739 29837 84 API calls 101738->101739 101740 94494 101739->101740 101878 26240 101740->101878 101742 944a4 101743 944c9 101742->101743 101744 29ea0 331 API calls 101742->101744 101746 944cd 101743->101746 101903 29a98 59 API calls Mailbox 101743->101903 101744->101743 101746->101593 101912 8445a GetFileAttributesW 101747->101912 101751 24e54 101750->101751 101752 24e5b 101750->101752 101916 453a6 101751->101916 101754 24e6a 101752->101754 101755 24e7b FreeLibrary 101752->101755 101754->101593 101755->101754 101757 27667 59 API calls 101756->101757 101758 8cbaf 101757->101758 101759 27667 59 API calls 101758->101759 101760 8cbb8 101759->101760 101763 8cbcc 101760->101763 102373 29b3c 59 API calls 101760->102373 101762 29837 84 API calls 101764 8cbe9 101762->101764 101763->101762 101765 8ccea 101764->101765 101766 8cc0b 101764->101766 101835 8cd1a Mailbox 101764->101835 102186 24ddd 101765->102186 101767 29837 84 API calls 101766->101767 101769 8cc17 101767->101769 101771 28047 59 API calls 101769->101771 101774 8cc23 101771->101774 101772 8cd16 101773 27667 59 API calls 101772->101773 101772->101835 101776 8cd4b 101773->101776 101779 8cc69 101774->101779 101780 8cc37 101774->101780 101775 24ddd 136 API calls 101775->101772 101777 27667 59 API calls 101776->101777 101778 8cd54 101777->101778 101782 27667 59 API calls 101778->101782 101781 29837 84 API calls 101779->101781 101783 28047 59 API calls 101780->101783 101785 8cc76 101781->101785 101786 8cd5d 101782->101786 101784 8cc47 101783->101784 101787 27cab 59 API calls 101784->101787 101788 28047 59 API calls 101785->101788 101789 27667 59 API calls 101786->101789 101790 8cc51 101787->101790 101791 8cc82 101788->101791 101792 8cd66 101789->101792 101793 29837 84 API calls 101790->101793 102374 84a31 GetFileAttributesW 101791->102374 101795 29837 84 API calls 101792->101795 101796 8cc5d 101793->101796 101798 8cd73 101795->101798 101799 27b2e 59 API calls 101796->101799 101797 8cc8b 101800 8cc9e 101797->101800 101804 279f2 59 API calls 101797->101804 102210 2459b 101798->102210 101799->101779 101803 29837 84 API calls 101800->101803 101810 8cca4 101800->101810 101802 8cd8e 102261 279f2 101802->102261 101806 8cccb 101803->101806 101804->101800 102375 837ef 75 API calls Mailbox 101806->102375 101809 8cdd1 101812 28047 59 API calls 101809->101812 101810->101835 101811 279f2 59 API calls 101813 8cdae 101811->101813 101814 8cddf 101812->101814 101813->101809 101816 27bcc 59 API calls 101813->101816 101815 27b2e 59 API calls 101814->101815 101817 8cded 101815->101817 101818 8cdc3 101816->101818 101819 27b2e 59 API calls 101817->101819 101821 27bcc 59 API calls 101818->101821 101820 8cdfb 101819->101820 101822 27b2e 59 API calls 101820->101822 101821->101809 101823 8ce09 101822->101823 101824 29837 84 API calls 101823->101824 101825 8ce15 101824->101825 102264 84071 101825->102264 101827 8ce26 101828 83c37 3 API calls 101827->101828 101829 8ce30 101828->101829 101830 29837 84 API calls 101829->101830 101833 8ce61 101829->101833 101831 8ce4e 101830->101831 102318 89155 101831->102318 101834 24e4a 84 API calls 101833->101834 101834->101835 101835->101593 101836->101589 101838 9bcb0 101837->101838 101839 9bc96 101837->101839 102655 9a213 59 API calls Mailbox 101838->102655 102654 89e4a 89 API calls 4 library calls 101839->102654 101842 9bcbb 101843 29ea0 330 API calls 101842->101843 101844 9bd1c 101843->101844 101845 9bdae 101844->101845 101848 9bd5d 101844->101848 101853 9bca8 Mailbox 101844->101853 101846 9be04 101845->101846 101847 9bdb4 101845->101847 101849 29837 84 API calls 101846->101849 101846->101853 102657 8791a 59 API calls 101847->102657 102656 872df 59 API calls Mailbox 101848->102656 101850 9be16 101849->101850 101852 27e4f 59 API calls 101850->101852 101856 9be3a CharUpperBuffW 101852->101856 101853->101587 101854 9bdd7 102658 25d41 59 API calls Mailbox 101854->102658 101861 9be54 101856->101861 101858 9bd8d 101860 2f460 330 API calls 101858->101860 101859 9bddf Mailbox 101864 2fce0 330 API calls 101859->101864 101860->101853 101862 9be5b 101861->101862 101863 9bea7 101861->101863 102659 872df 59 API calls Mailbox 101862->102659 101865 29837 84 API calls 101863->101865 101864->101853 101866 9beaf 101865->101866 102660 29e5d 60 API calls 101866->102660 101869 9be89 101871 2f460 330 API calls 101869->101871 101870 9beb9 101870->101853 101872 29837 84 API calls 101870->101872 101871->101853 101873 9bed4 101872->101873 102661 25d41 59 API calls Mailbox 101873->102661 101875 9bee4 101876 2fce0 330 API calls 101875->101876 101876->101853 101877->101591 101879 27a16 59 API calls 101878->101879 101897 26265 101879->101897 101880 2646a 101906 2750f 59 API calls 2 library calls 101880->101906 101882 26484 Mailbox 101882->101742 101885 5dff6 101909 7f8aa 91 API calls 4 library calls 101885->101909 101886 2750f 59 API calls 101886->101897 101890 27d8c 59 API calls 101890->101897 101891 5e004 101910 2750f 59 API calls 2 library calls 101891->101910 101893 5e01a 101893->101882 101894 26799 _memmove 101911 7f8aa 91 API calls 4 library calls 101894->101911 101895 5df92 101896 28029 59 API calls 101895->101896 101899 5df9d 101896->101899 101897->101880 101897->101885 101897->101886 101897->101890 101897->101894 101897->101895 101900 27e4f 59 API calls 101897->101900 101904 25f6c 60 API calls 101897->101904 101905 25d41 59 API calls Mailbox 101897->101905 101907 25e72 60 API calls 101897->101907 101908 27924 59 API calls 2 library calls 101897->101908 101902 40db6 Mailbox 59 API calls 101899->101902 101901 2643b CharUpperBuffW 101900->101901 101901->101897 101902->101894 101903->101746 101904->101897 101905->101897 101906->101882 101907->101897 101908->101897 101909->101891 101910->101893 101911->101882 101913 84475 FindFirstFileW 101912->101913 101915 83c3e 101912->101915 101914 8448a FindClose 101913->101914 101913->101915 101914->101915 101915->101593 101917 453b2 __alloc_osfhnd 101916->101917 101918 453c6 101917->101918 101919 453de 101917->101919 101951 48b28 58 API calls __getptd_noexit 101918->101951 101925 453d6 __alloc_osfhnd 101919->101925 101929 46c11 101919->101929 101921 453cb 101952 48db6 9 API calls __woutput_l 101921->101952 101925->101752 101930 46c21 101929->101930 101931 46c43 EnterCriticalSection 101929->101931 101930->101931 101932 46c29 101930->101932 101933 453f0 101931->101933 101934 49c0b __lock 58 API calls 101932->101934 101935 4533a 101933->101935 101934->101933 101936 4535d 101935->101936 101937 45349 101935->101937 101938 45359 101936->101938 101954 44a3d 101936->101954 101997 48b28 58 API calls __getptd_noexit 101937->101997 101953 45415 LeaveCriticalSection LeaveCriticalSection _fprintf 101938->101953 101941 4534e 101998 48db6 9 API calls __woutput_l 101941->101998 101947 45377 101971 50a02 101947->101971 101949 4537d 101949->101938 101950 42d55 _free 58 API calls 101949->101950 101950->101938 101951->101921 101952->101925 101953->101925 101955 44a50 101954->101955 101956 44a74 101954->101956 101955->101956 101957 446e6 __fclose_nolock 58 API calls 101955->101957 101960 50b77 101956->101960 101958 44a6d 101957->101958 101999 4d886 101958->101999 101961 45371 101960->101961 101962 50b84 101960->101962 101964 446e6 101961->101964 101962->101961 101963 42d55 _free 58 API calls 101962->101963 101963->101961 101965 44705 101964->101965 101966 446f0 101964->101966 101965->101947 102141 48b28 58 API calls __getptd_noexit 101966->102141 101968 446f5 102142 48db6 9 API calls __woutput_l 101968->102142 101970 44700 101970->101947 101972 50a0e __alloc_osfhnd 101971->101972 101973 50a32 101972->101973 101974 50a1b 101972->101974 101976 50abd 101973->101976 101978 50a42 101973->101978 102158 48af4 58 API calls __getptd_noexit 101974->102158 102163 48af4 58 API calls __getptd_noexit 101976->102163 101977 50a20 102159 48b28 58 API calls __getptd_noexit 101977->102159 101981 50a60 101978->101981 101982 50a6a 101978->101982 102160 48af4 58 API calls __getptd_noexit 101981->102160 101984 4d206 ___lock_fhandle 59 API calls 101982->101984 101983 50a65 102164 48b28 58 API calls __getptd_noexit 101983->102164 101987 50a70 101984->101987 101989 50a83 101987->101989 101990 50a8e 101987->101990 101988 50ac9 102165 48db6 9 API calls __woutput_l 101988->102165 102143 50add 101989->102143 102161 48b28 58 API calls __getptd_noexit 101990->102161 101993 50a27 __alloc_osfhnd 101993->101949 101995 50a89 102162 50ab5 LeaveCriticalSection __unlock_fhandle 101995->102162 101997->101941 101998->101938 102000 4d892 __alloc_osfhnd 101999->102000 102001 4d8b6 102000->102001 102002 4d89f 102000->102002 102004 4d955 102001->102004 102006 4d8ca 102001->102006 102100 48af4 58 API calls __getptd_noexit 102002->102100 102106 48af4 58 API calls __getptd_noexit 102004->102106 102005 4d8a4 102101 48b28 58 API calls __getptd_noexit 102005->102101 102009 4d8f2 102006->102009 102010 4d8e8 102006->102010 102027 4d206 102009->102027 102102 48af4 58 API calls __getptd_noexit 102010->102102 102011 4d8ed 102107 48b28 58 API calls __getptd_noexit 102011->102107 102014 4d8f8 102016 4d91e 102014->102016 102017 4d90b 102014->102017 102103 48b28 58 API calls __getptd_noexit 102016->102103 102036 4d975 102017->102036 102018 4d961 102108 48db6 9 API calls __woutput_l 102018->102108 102019 4d8ab __alloc_osfhnd 102019->101956 102023 4d917 102105 4d94d LeaveCriticalSection __unlock_fhandle 102023->102105 102024 4d923 102104 48af4 58 API calls __getptd_noexit 102024->102104 102028 4d212 __alloc_osfhnd 102027->102028 102029 4d261 EnterCriticalSection 102028->102029 102030 49c0b __lock 58 API calls 102028->102030 102031 4d287 __alloc_osfhnd 102029->102031 102032 4d237 102030->102032 102031->102014 102033 4d24f 102032->102033 102109 49e2b InitializeCriticalSectionAndSpinCount 102032->102109 102110 4d28b LeaveCriticalSection _doexit 102033->102110 102037 4d982 __write_nolock 102036->102037 102038 4d9e0 102037->102038 102039 4d9c1 102037->102039 102067 4d9b6 102037->102067 102042 4da38 102038->102042 102043 4da1c 102038->102043 102120 48af4 58 API calls __getptd_noexit 102039->102120 102047 4da51 102042->102047 102126 518c1 60 API calls 3 library calls 102042->102126 102123 48af4 58 API calls __getptd_noexit 102043->102123 102044 4e1d6 102044->102023 102045 4d9c6 102121 48b28 58 API calls __getptd_noexit 102045->102121 102111 55c6b 102047->102111 102049 4da21 102124 48b28 58 API calls __getptd_noexit 102049->102124 102051 4d9cd 102122 48db6 9 API calls __woutput_l 102051->102122 102053 4da5f 102056 4ddb8 102053->102056 102127 499ac 58 API calls 2 library calls 102053->102127 102058 4ddd6 102056->102058 102059 4e14b WriteFile 102056->102059 102057 4da28 102125 48db6 9 API calls __woutput_l 102057->102125 102062 4defa 102058->102062 102070 4ddec 102058->102070 102063 4ddab GetLastError 102059->102063 102068 4dd78 102059->102068 102074 4dfef 102062->102074 102076 4df05 102062->102076 102063->102068 102064 4da8b GetConsoleMode 102064->102056 102066 4daca 102064->102066 102065 4e184 102065->102067 102132 48b28 58 API calls __getptd_noexit 102065->102132 102066->102056 102069 4dada GetConsoleCP 102066->102069 102134 4c5f6 102067->102134 102068->102065 102068->102067 102073 4ded8 102068->102073 102069->102065 102087 4db09 102069->102087 102070->102065 102071 4de5b WriteFile 102070->102071 102071->102063 102075 4de98 102071->102075 102079 4dee3 102073->102079 102080 4e17b 102073->102080 102074->102065 102081 4e064 WideCharToMultiByte 102074->102081 102075->102070 102095 4debc 102075->102095 102076->102065 102082 4df6a WriteFile 102076->102082 102077 4e1b2 102133 48af4 58 API calls __getptd_noexit 102077->102133 102129 48b28 58 API calls __getptd_noexit 102079->102129 102131 48b07 58 API calls 3 library calls 102080->102131 102081->102063 102086 4e0ab 102081->102086 102082->102063 102083 4dfb9 102082->102083 102083->102068 102083->102076 102083->102095 102086->102068 102086->102074 102089 4e0b3 WriteFile 102086->102089 102086->102095 102087->102068 102093 562ba 60 API calls __write_nolock 102087->102093 102096 4dbf2 WideCharToMultiByte 102087->102096 102099 4dc5f 102087->102099 102128 435f5 58 API calls __isleadbyte_l 102087->102128 102088 4dee8 102130 48af4 58 API calls __getptd_noexit 102088->102130 102089->102086 102092 4e106 GetLastError 102089->102092 102092->102086 102093->102087 102094 57a5e WriteConsoleW CreateFileW __putwch_nolock 102094->102099 102095->102068 102096->102068 102097 4dc2d WriteFile 102096->102097 102097->102063 102097->102099 102098 4dc87 WriteFile 102098->102063 102098->102099 102099->102063 102099->102068 102099->102087 102099->102094 102099->102098 102100->102005 102101->102019 102102->102011 102103->102024 102104->102023 102105->102019 102106->102011 102107->102018 102108->102019 102109->102033 102110->102029 102112 55c76 102111->102112 102113 55c83 102111->102113 102114 48b28 __woutput_l 58 API calls 102112->102114 102115 55c8f 102113->102115 102116 48b28 __woutput_l 58 API calls 102113->102116 102117 55c7b 102114->102117 102115->102053 102118 55cb0 102116->102118 102117->102053 102119 48db6 __woutput_l 9 API calls 102118->102119 102119->102117 102120->102045 102121->102051 102122->102067 102123->102049 102124->102057 102125->102067 102126->102047 102127->102064 102128->102087 102129->102088 102130->102067 102131->102067 102132->102077 102133->102067 102135 4c600 IsProcessorFeaturePresent 102134->102135 102136 4c5fe 102134->102136 102138 5590a 102135->102138 102136->102044 102139 558b9 ___raise_securityfailure 5 API calls 102138->102139 102140 559ed 102139->102140 102140->102044 102141->101968 102142->101970 102166 4d4c3 102143->102166 102145 50aeb 102146 50b41 102145->102146 102148 4d4c3 __lseek_nolock 58 API calls 102145->102148 102157 50b1f 102145->102157 102179 4d43d 59 API calls 2 library calls 102146->102179 102151 50b16 102148->102151 102149 4d4c3 __lseek_nolock 58 API calls 102152 50b2b CloseHandle 102149->102152 102150 50b49 102153 50b6b 102150->102153 102180 48b07 58 API calls 3 library calls 102150->102180 102154 4d4c3 __lseek_nolock 58 API calls 102151->102154 102152->102146 102155 50b37 GetLastError 102152->102155 102153->101995 102154->102157 102155->102146 102157->102146 102157->102149 102158->101977 102159->101993 102160->101983 102161->101995 102162->101993 102163->101983 102164->101988 102165->101993 102167 4d4ce 102166->102167 102169 4d4e3 102166->102169 102181 48af4 58 API calls __getptd_noexit 102167->102181 102172 4d508 102169->102172 102183 48af4 58 API calls __getptd_noexit 102169->102183 102171 4d4d3 102182 48b28 58 API calls __getptd_noexit 102171->102182 102172->102145 102173 4d512 102184 48b28 58 API calls __getptd_noexit 102173->102184 102176 4d4db 102176->102145 102177 4d51a 102185 48db6 9 API calls __woutput_l 102177->102185 102179->102150 102180->102153 102181->102171 102182->102176 102183->102173 102184->102177 102185->102176 102376 24bb5 102186->102376 102191 5d8e6 102194 24e4a 84 API calls 102191->102194 102192 24e08 LoadLibraryExW 102386 24b6a 102192->102386 102196 5d8ed 102194->102196 102198 24b6a 3 API calls 102196->102198 102200 5d8f5 102198->102200 102199 24e2f 102199->102200 102201 24e3b 102199->102201 102412 24f0b 102200->102412 102203 24e4a 84 API calls 102201->102203 102205 24e40 102203->102205 102205->101772 102205->101775 102207 5d91c 102420 24ec7 102207->102420 102211 27667 59 API calls 102210->102211 102212 245b1 102211->102212 102213 27667 59 API calls 102212->102213 102214 245b9 102213->102214 102215 27667 59 API calls 102214->102215 102216 245c1 102215->102216 102217 27667 59 API calls 102216->102217 102218 245c9 102217->102218 102219 5d4d2 102218->102219 102220 245fd 102218->102220 102221 28047 59 API calls 102219->102221 102222 2784b 59 API calls 102220->102222 102223 5d4db 102221->102223 102224 2460b 102222->102224 102602 27d8c 102223->102602 102226 27d2c 59 API calls 102224->102226 102227 24615 102226->102227 102228 24640 102227->102228 102229 2784b 59 API calls 102227->102229 102230 24680 102228->102230 102232 2465f 102228->102232 102243 5d4fb 102228->102243 102233 24636 102229->102233 102589 2784b 102230->102589 102237 279f2 59 API calls 102232->102237 102236 27d2c 59 API calls 102233->102236 102234 24691 102238 246a3 102234->102238 102241 28047 59 API calls 102234->102241 102235 5d5cb 102239 27bcc 59 API calls 102235->102239 102236->102228 102240 24669 102237->102240 102242 246b3 102238->102242 102244 28047 59 API calls 102238->102244 102257 5d588 102239->102257 102240->102230 102247 2784b 59 API calls 102240->102247 102241->102238 102246 246ba 102242->102246 102248 28047 59 API calls 102242->102248 102243->102235 102245 5d5b4 102243->102245 102252 5d532 102243->102252 102244->102242 102245->102235 102250 5d59f 102245->102250 102249 28047 59 API calls 102246->102249 102256 246c1 Mailbox 102246->102256 102247->102230 102248->102246 102249->102256 102254 27bcc 59 API calls 102250->102254 102251 5d590 102253 27bcc 59 API calls 102251->102253 102252->102251 102259 5d57b 102252->102259 102253->102257 102254->102257 102255 279f2 59 API calls 102255->102257 102256->101802 102257->102230 102257->102255 102606 27924 59 API calls 2 library calls 102257->102606 102260 27bcc 59 API calls 102259->102260 102260->102257 102262 27e4f 59 API calls 102261->102262 102263 279fd 102262->102263 102263->101809 102263->101811 102265 8408d 102264->102265 102266 840a0 102265->102266 102267 84092 102265->102267 102269 27667 59 API calls 102266->102269 102268 28047 59 API calls 102267->102268 102317 8409b Mailbox 102268->102317 102270 840a8 102269->102270 102271 27667 59 API calls 102270->102271 102272 840b0 102271->102272 102273 27667 59 API calls 102272->102273 102274 840bb 102273->102274 102275 27667 59 API calls 102274->102275 102276 840c3 102275->102276 102277 27667 59 API calls 102276->102277 102278 840cb 102277->102278 102279 27667 59 API calls 102278->102279 102280 840d3 102279->102280 102281 27667 59 API calls 102280->102281 102282 840db 102281->102282 102283 27667 59 API calls 102282->102283 102284 840e3 102283->102284 102285 2459b 59 API calls 102284->102285 102286 840fa 102285->102286 102287 2459b 59 API calls 102286->102287 102288 84113 102287->102288 102289 279f2 59 API calls 102288->102289 102290 8411f 102289->102290 102291 84132 102290->102291 102292 27d2c 59 API calls 102290->102292 102293 279f2 59 API calls 102291->102293 102292->102291 102294 8413b 102293->102294 102295 8414b 102294->102295 102296 27d2c 59 API calls 102294->102296 102297 28047 59 API calls 102295->102297 102296->102295 102298 84157 102297->102298 102299 27b2e 59 API calls 102298->102299 102300 84163 102299->102300 102608 84223 59 API calls 102300->102608 102302 84172 102609 84223 59 API calls 102302->102609 102304 84185 102305 279f2 59 API calls 102304->102305 102306 8418f 102305->102306 102307 84194 102306->102307 102308 841a6 102306->102308 102310 27cab 59 API calls 102307->102310 102309 279f2 59 API calls 102308->102309 102311 841af 102309->102311 102312 841a1 102310->102312 102317->101827 102319 89162 __write_nolock 102318->102319 102320 40db6 Mailbox 59 API calls 102319->102320 102321 891bf 102320->102321 102322 2522e 59 API calls 102321->102322 102323 891c9 102322->102323 102324 88f5f GetSystemTimeAsFileTime 102323->102324 102325 891d4 102324->102325 102326 24ee5 85 API calls 102325->102326 102327 891e7 _wcscmp 102326->102327 102328 892b8 102327->102328 102329 8920b 102327->102329 102330 89734 96 API calls 102328->102330 102627 89734 102329->102627 102346 89284 _wcscat 102330->102346 102334 24f0b 74 API calls 102335 892dd 102334->102335 102337 24f0b 74 API calls 102335->102337 102336 892c1 102336->101833 102339 892ed 102337->102339 102338 89239 _wcscat _wcscpy 102634 440fb 58 API calls __wsplitpath_helper 102338->102634 102340 24f0b 74 API calls 102339->102340 102342 89308 102340->102342 102343 24f0b 74 API calls 102342->102343 102344 89318 102343->102344 102345 24f0b 74 API calls 102344->102345 102347 89333 102345->102347 102346->102334 102346->102336 102348 24f0b 74 API calls 102347->102348 102349 89343 102348->102349 102350 24f0b 74 API calls 102349->102350 102351 89353 102350->102351 102352 24f0b 74 API calls 102351->102352 102353 89363 102352->102353 102610 898e3 GetTempPathW GetTempFileNameW 102353->102610 102355 8936f 102356 4525b 115 API calls 102355->102356 102366 89380 102356->102366 102366->102336 102373->101763 102374->101797 102375->101810 102425 24c03 102376->102425 102379 24c03 2 API calls 102382 24bdc 102379->102382 102380 24bf5 102383 4525b 102380->102383 102381 24bec FreeLibrary 102381->102380 102382->102380 102382->102381 102429 45270 102383->102429 102385 24dfc 102385->102191 102385->102192 102510 24c36 102386->102510 102389 24b8f 102390 24ba1 FreeLibrary 102389->102390 102391 24baa 102389->102391 102390->102391 102393 24c70 102391->102393 102392 24c36 2 API calls 102392->102389 102394 40db6 Mailbox 59 API calls 102393->102394 102395 24c85 102394->102395 102514 2522e 102395->102514 102397 24c91 _memmove 102398 24ccc 102397->102398 102399 24dc1 102397->102399 102400 24d89 102397->102400 102401 24ec7 69 API calls 102398->102401 102528 8991b 95 API calls 102399->102528 102517 24e89 CreateStreamOnHGlobal 102400->102517 102409 24cd5 102401->102409 102404 24f0b 74 API calls 102404->102409 102406 24d69 102406->102199 102407 5d8a7 102408 24ee5 85 API calls 102407->102408 102410 5d8bb 102408->102410 102409->102404 102409->102406 102409->102407 102523 24ee5 102409->102523 102411 24f0b 74 API calls 102410->102411 102411->102406 102413 5d9cd 102412->102413 102414 24f1d 102412->102414 102546 455e2 102414->102546 102417 89109 102566 88f5f 102417->102566 102419 8911f 102419->102207 102421 24ed6 102420->102421 102424 5d990 102420->102424 102571 45c60 102421->102571 102423 24ede 102426 24bd0 102425->102426 102427 24c0c LoadLibraryA 102425->102427 102426->102379 102426->102382 102427->102426 102428 24c1d GetProcAddress 102427->102428 102428->102426 102430 4527c __alloc_osfhnd 102429->102430 102431 4528f 102430->102431 102434 452c0 102430->102434 102478 48b28 58 API calls __getptd_noexit 102431->102478 102433 45294 102479 48db6 9 API calls __woutput_l 102433->102479 102448 504e8 102434->102448 102437 452c5 102438 452ce 102437->102438 102439 452db 102437->102439 102480 48b28 58 API calls __getptd_noexit 102438->102480 102441 45305 102439->102441 102442 452e5 102439->102442 102463 50607 102441->102463 102481 48b28 58 API calls __getptd_noexit 102442->102481 102443 4529f __alloc_osfhnd @_EH4_CallFilterFunc@8 102443->102385 102449 504f4 __alloc_osfhnd 102448->102449 102450 49c0b __lock 58 API calls 102449->102450 102451 50502 102450->102451 102452 5057d 102451->102452 102458 49c93 __mtinitlocknum 58 API calls 102451->102458 102461 50576 102451->102461 102486 46c50 59 API calls __lock 102451->102486 102487 46cba LeaveCriticalSection LeaveCriticalSection _doexit 102451->102487 102488 4881d 58 API calls __malloc_crt 102452->102488 102455 50584 102455->102461 102489 49e2b InitializeCriticalSectionAndSpinCount 102455->102489 102456 505f3 __alloc_osfhnd 102456->102437 102458->102451 102460 505aa EnterCriticalSection 102460->102461 102483 505fe 102461->102483 102471 50627 __wopenfile 102463->102471 102464 50641 102494 48b28 58 API calls __getptd_noexit 102464->102494 102466 50646 102495 48db6 9 API calls __woutput_l 102466->102495 102468 45310 102482 45332 LeaveCriticalSection LeaveCriticalSection _fprintf 102468->102482 102469 5085f 102491 585a1 102469->102491 102471->102464 102474 507fc 102471->102474 102496 437cb 60 API calls 2 library calls 102471->102496 102473 507f5 102473->102474 102497 437cb 60 API calls 2 library calls 102473->102497 102474->102464 102474->102469 102476 50814 102476->102474 102498 437cb 60 API calls 2 library calls 102476->102498 102478->102433 102479->102443 102480->102443 102481->102443 102482->102443 102490 49d75 LeaveCriticalSection 102483->102490 102485 50605 102485->102456 102486->102451 102487->102451 102488->102455 102489->102460 102490->102485 102499 57d85 102491->102499 102493 585ba 102493->102468 102494->102466 102495->102468 102496->102473 102497->102476 102498->102474 102500 57d91 __alloc_osfhnd 102499->102500 102501 57da7 102500->102501 102504 57ddd 102500->102504 102502 48b28 __woutput_l 58 API calls 102501->102502 102503 57dac 102502->102503 102505 48db6 __woutput_l 9 API calls 102503->102505 102506 57e4e __wsopen_nolock 109 API calls 102504->102506 102509 57db6 __alloc_osfhnd 102505->102509 102507 57df9 102506->102507 102508 57e22 __wsopen_helper LeaveCriticalSection 102507->102508 102508->102509 102509->102493 102511 24b83 102510->102511 102512 24c3f LoadLibraryA 102510->102512 102511->102389 102511->102392 102512->102511 102513 24c50 GetProcAddress 102512->102513 102513->102511 102515 40db6 Mailbox 59 API calls 102514->102515 102516 25240 102515->102516 102516->102397 102518 24ea3 FindResourceExW 102517->102518 102522 24ec0 102517->102522 102519 5d933 LoadResource 102518->102519 102518->102522 102520 5d948 SizeofResource 102519->102520 102519->102522 102521 5d95c LockResource 102520->102521 102520->102522 102521->102522 102522->102398 102524 24ef4 102523->102524 102527 5d9ab 102523->102527 102529 4584d 102524->102529 102526 24f02 102526->102409 102528->102398 102530 45859 __alloc_osfhnd 102529->102530 102531 4586b 102530->102531 102532 45891 102530->102532 102542 48b28 58 API calls __getptd_noexit 102531->102542 102534 46c11 __lock_file 59 API calls 102532->102534 102537 45897 102534->102537 102535 45870 102543 48db6 9 API calls __woutput_l 102535->102543 102544 457be 83 API calls 5 library calls 102537->102544 102539 458a6 102545 458c8 LeaveCriticalSection LeaveCriticalSection _fprintf 102539->102545 102541 4587b __alloc_osfhnd 102541->102526 102542->102535 102543->102541 102544->102539 102545->102541 102549 455fd 102546->102549 102548 24f2e 102548->102417 102550 45609 __alloc_osfhnd 102549->102550 102551 4564c 102550->102551 102552 45644 __alloc_osfhnd 102550->102552 102558 4561f _memset 102550->102558 102553 46c11 __lock_file 59 API calls 102551->102553 102552->102548 102554 45652 102553->102554 102564 4541d 72 API calls 6 library calls 102554->102564 102556 45639 102563 48db6 9 API calls __woutput_l 102556->102563 102562 48b28 58 API calls __getptd_noexit 102558->102562 102560 45668 102565 45686 LeaveCriticalSection LeaveCriticalSection _fprintf 102560->102565 102562->102556 102563->102552 102564->102560 102565->102552 102569 4520a GetSystemTimeAsFileTime 102566->102569 102568 88f6e 102568->102419 102570 45238 __aulldiv 102569->102570 102570->102568 102572 45c6c __alloc_osfhnd 102571->102572 102573 45c93 102572->102573 102574 45c7e 102572->102574 102576 46c11 __lock_file 59 API calls 102573->102576 102585 48b28 58 API calls __getptd_noexit 102574->102585 102578 45c99 102576->102578 102577 45c83 102586 48db6 9 API calls __woutput_l 102577->102586 102587 458d0 67 API calls 6 library calls 102578->102587 102581 45ca4 102588 45cc4 LeaveCriticalSection LeaveCriticalSection _fprintf 102581->102588 102582 45c8e __alloc_osfhnd 102582->102423 102584 45cb6 102584->102582 102585->102577 102586->102582 102587->102581 102588->102584 102590 278b7 102589->102590 102591 2785a 102589->102591 102592 27d2c 59 API calls 102590->102592 102591->102590 102593 27865 102591->102593 102598 27888 _memmove 102592->102598 102594 27880 102593->102594 102595 5eb09 102593->102595 102607 27f27 59 API calls Mailbox 102594->102607 102597 28029 59 API calls 102595->102597 102599 5eb13 102597->102599 102598->102234 102600 40db6 Mailbox 59 API calls 102599->102600 102601 5eb33 102600->102601 102603 27da6 102602->102603 102605 27d99 102602->102605 102604 40db6 Mailbox 59 API calls 102603->102604 102604->102605 102605->102228 102606->102257 102607->102598 102608->102302 102609->102304 102610->102355 102630 89748 __tzset_nolock _wcscmp 102627->102630 102628 89109 GetSystemTimeAsFileTime 102628->102630 102629 89210 102629->102336 102633 440fb 58 API calls __wsplitpath_helper 102629->102633 102630->102628 102630->102629 102631 24f0b 74 API calls 102630->102631 102632 24ee5 85 API calls 102630->102632 102631->102630 102632->102630 102633->102338 102634->102346 102654->101853 102655->101842 102656->101858 102657->101854 102658->101859 102659->101869 102660->101870 102661->101875 102662->101618 102663->101616 102664->101479 102667 2b91a 102665->102667 102671 2bac7 102665->102671 102666 2bf81 102669 2baab 102666->102669 102690 294dc 59 API calls wcstoxq 102666->102690 102667->102666 102668 2b9fc 102667->102668 102667->102669 102667->102671 102668->102669 102675 2ba38 102668->102675 102676 2bb46 102668->102676 102669->101507 102671->102666 102671->102669 102671->102676 102678 2ba8b Mailbox 102671->102678 102673 61361 102673->102669 102688 43d46 59 API calls __wtof_l 102673->102688 102675->102669 102675->102678 102680 611b4 102675->102680 102676->102669 102676->102673 102676->102678 102687 76e8f 59 API calls 102676->102687 102678->101507 102678->102669 102678->102673 102689 28cd4 59 API calls Mailbox 102678->102689 102680->102669 102686 43d46 59 API calls __wtof_l 102680->102686 102681->101507 102682->101502 102683->101504 102684->101496 102685->101504 102686->102680 102687->102678 102688->102669 102689->102678 102690->102669 102691->101518 102692->101542 102693 47c56 102694 47c62 __alloc_osfhnd 102693->102694 102730 49e08 GetStartupInfoW 102694->102730 102696 47c67 102732 48b7c GetProcessHeap 102696->102732 102698 47cbf 102699 47cca 102698->102699 102815 47da6 58 API calls 3 library calls 102698->102815 102733 49ae6 102699->102733 102702 47cd0 102703 47cdb __RTC_Initialize 102702->102703 102816 47da6 58 API calls 3 library calls 102702->102816 102754 4d5d2 102703->102754 102706 47cea 102707 47cf6 GetCommandLineW 102706->102707 102817 47da6 58 API calls 3 library calls 102706->102817 102773 54f23 GetEnvironmentStringsW 102707->102773 102710 47cf5 102710->102707 102713 47d10 102714 47d1b 102713->102714 102818 430b5 58 API calls 3 library calls 102713->102818 102783 54d58 102714->102783 102717 47d21 102718 47d2c 102717->102718 102819 430b5 58 API calls 3 library calls 102717->102819 102797 430ef 102718->102797 102721 47d34 102722 47d3f __wwincmdln 102721->102722 102820 430b5 58 API calls 3 library calls 102721->102820 102803 247d0 102722->102803 102725 47d53 102726 47d62 102725->102726 102821 43358 58 API calls _doexit 102725->102821 102822 430e0 58 API calls _doexit 102726->102822 102729 47d67 __alloc_osfhnd 102731 49e1e 102730->102731 102731->102696 102732->102698 102823 43187 36 API calls 2 library calls 102733->102823 102735 49aeb 102824 49d3c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 102735->102824 102737 49af0 102738 49af4 102737->102738 102826 49d8a TlsAlloc 102737->102826 102825 49b5c 61 API calls 2 library calls 102738->102825 102741 49af9 102741->102702 102742 49b06 102742->102738 102743 49b11 102742->102743 102827 487d5 102743->102827 102746 49b53 102835 49b5c 61 API calls 2 library calls 102746->102835 102749 49b32 102749->102746 102751 49b38 102749->102751 102750 49b58 102750->102702 102834 49a33 58 API calls 4 library calls 102751->102834 102753 49b40 GetCurrentThreadId 102753->102702 102755 4d5de __alloc_osfhnd 102754->102755 102756 49c0b __lock 58 API calls 102755->102756 102757 4d5e5 102756->102757 102758 487d5 __calloc_crt 58 API calls 102757->102758 102759 4d5f6 102758->102759 102760 4d661 GetStartupInfoW 102759->102760 102761 4d601 __alloc_osfhnd @_EH4_CallFilterFunc@8 102759->102761 102767 4d676 102760->102767 102770 4d7a5 102760->102770 102761->102706 102762 4d86d 102849 4d87d LeaveCriticalSection _doexit 102762->102849 102764 487d5 __calloc_crt 58 API calls 102764->102767 102765 4d7f2 GetStdHandle 102765->102770 102766 4d805 GetFileType 102766->102770 102767->102764 102768 4d6c4 102767->102768 102767->102770 102769 4d6f8 GetFileType 102768->102769 102768->102770 102847 49e2b InitializeCriticalSectionAndSpinCount 102768->102847 102769->102768 102770->102762 102770->102765 102770->102766 102848 49e2b InitializeCriticalSectionAndSpinCount 102770->102848 102774 54f34 102773->102774 102775 47d06 102773->102775 102850 4881d 58 API calls __malloc_crt 102774->102850 102779 54b1b GetModuleFileNameW 102775->102779 102777 54f5a _memmove 102778 54f70 FreeEnvironmentStringsW 102777->102778 102778->102775 102780 54b4f _wparse_cmdline 102779->102780 102782 54b8f _wparse_cmdline 102780->102782 102851 4881d 58 API calls __malloc_crt 102780->102851 102782->102713 102784 54d71 __wsetenvp 102783->102784 102785 54d69 102783->102785 102786 487d5 __calloc_crt 58 API calls 102784->102786 102785->102717 102787 54d9a __wsetenvp 102786->102787 102787->102785 102789 54df1 102787->102789 102790 487d5 __calloc_crt 58 API calls 102787->102790 102791 54e16 102787->102791 102794 54e2d 102787->102794 102852 54607 58 API calls __woutput_l 102787->102852 102788 42d55 _free 58 API calls 102788->102785 102789->102788 102790->102787 102793 42d55 _free 58 API calls 102791->102793 102793->102785 102853 48dc6 IsProcessorFeaturePresent 102794->102853 102796 54e39 102796->102717 102798 430fb __IsNonwritableInCurrentImage 102797->102798 102868 4a4d1 102798->102868 102800 43119 __initterm_e 102801 42d40 __cinit 67 API calls 102800->102801 102802 43138 __cinit __IsNonwritableInCurrentImage 102800->102802 102801->102802 102802->102721 102804 247ea 102803->102804 102814 24889 102803->102814 102805 24824 IsThemeActive 102804->102805 102871 4336c 102805->102871 102809 24850 102883 248fd SystemParametersInfoW SystemParametersInfoW 102809->102883 102811 2485c 102884 23b3a 102811->102884 102813 24864 SystemParametersInfoW 102813->102814 102814->102725 102815->102699 102816->102703 102817->102710 102821->102726 102822->102729 102823->102735 102824->102737 102825->102741 102826->102742 102830 487dc 102827->102830 102829 48817 102829->102746 102833 49de6 TlsSetValue 102829->102833 102830->102829 102832 487fa 102830->102832 102836 551f6 102830->102836 102832->102829 102832->102830 102844 4a132 Sleep 102832->102844 102833->102749 102834->102753 102835->102750 102837 55201 102836->102837 102842 5521c 102836->102842 102838 5520d 102837->102838 102837->102842 102845 48b28 58 API calls __getptd_noexit 102838->102845 102840 5522c RtlAllocateHeap 102841 55212 102840->102841 102840->102842 102841->102830 102842->102840 102842->102841 102846 433a1 DecodePointer 102842->102846 102844->102832 102845->102841 102846->102842 102847->102768 102848->102770 102849->102761 102850->102777 102851->102782 102852->102787 102854 48dd1 102853->102854 102859 48c59 102854->102859 102858 48dec 102858->102796 102860 48c73 _memset ___raise_securityfailure 102859->102860 102861 48c93 IsDebuggerPresent 102860->102861 102867 4a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 102861->102867 102863 4c5f6 __except1 6 API calls 102864 48d7a 102863->102864 102866 4a140 GetCurrentProcess TerminateProcess 102864->102866 102865 48d57 ___raise_securityfailure 102865->102863 102866->102858 102867->102865 102869 4a4d4 EncodePointer 102868->102869 102869->102869 102870 4a4ee 102869->102870 102870->102800 102872 49c0b __lock 58 API calls 102871->102872 102873 43377 DecodePointer EncodePointer 102872->102873 102936 49d75 LeaveCriticalSection 102873->102936 102875 24849 102876 433d4 102875->102876 102877 433de 102876->102877 102878 433f8 102876->102878 102877->102878 102937 48b28 58 API calls __getptd_noexit 102877->102937 102878->102809 102880 433e8 102938 48db6 9 API calls __woutput_l 102880->102938 102882 433f3 102882->102809 102883->102811 102885 23b47 __write_nolock 102884->102885 102886 27667 59 API calls 102885->102886 102887 23b51 GetCurrentDirectoryW 102886->102887 102939 23766 102887->102939 102889 23b7a IsDebuggerPresent 102890 5d272 MessageBoxA 102889->102890 102891 23b88 102889->102891 102893 5d28c 102890->102893 102892 23ba5 102891->102892 102891->102893 102922 23c61 102891->102922 103020 27285 102892->103020 103061 27213 59 API calls Mailbox 102893->103061 102894 23c68 SetCurrentDirectoryW 102899 23c75 Mailbox 102894->102899 102899->102813 102900 5d29c 102903 5d2b2 SetCurrentDirectoryW 102900->102903 102903->102899 102922->102894 102936->102875 102937->102880 102938->102882 102940 27667 59 API calls 102939->102940 102941 2377c 102940->102941 103070 23d31 102941->103070 102943 2379a 102944 24706 61 API calls 102943->102944 102945 237ae 102944->102945 102946 27de1 59 API calls 102945->102946 102947 237bb 102946->102947 102948 24ddd 136 API calls 102947->102948 102949 237d4 102948->102949 102950 5d173 102949->102950 102951 237dc Mailbox 102949->102951 103123 8955b 102950->103123 102954 28047 59 API calls 102951->102954 102957 237ef 102954->102957 102955 5d192 102956 42d55 _free 58 API calls 102955->102956 102959 5d19f 102956->102959 103084 2928a 102957->103084 102958 24e4a 84 API calls 102958->102955 102961 24e4a 84 API calls 102959->102961 102963 5d1a8 102961->102963 102967 23ed0 59 API calls 102963->102967 102964 27de1 59 API calls 102965 23808 102964->102965 102966 284c0 69 API calls 102965->102966 102968 2381a Mailbox 102966->102968 102969 5d1c3 102967->102969 102970 27de1 59 API calls 102968->102970 102971 23ed0 59 API calls 102969->102971 102972 23840 102970->102972 102973 5d1df 102971->102973 102974 284c0 69 API calls 102972->102974 102975 24706 61 API calls 102973->102975 102977 2384f Mailbox 102974->102977 102976 5d204 102975->102976 102978 23ed0 59 API calls 102976->102978 102980 27667 59 API calls 102977->102980 102979 5d210 102978->102979 102981 28047 59 API calls 102979->102981 102982 2386d 102980->102982 102983 5d21e 102981->102983 103087 23ed0 102982->103087 102985 23ed0 59 API calls 102983->102985 102987 5d22d 102985->102987 102993 28047 59 API calls 102987->102993 102989 23887 102989->102963 102990 23891 102989->102990 102991 42efd _W_store_winword 60 API calls 102990->102991 102992 2389c 102991->102992 102992->102969 102994 238a6 102992->102994 102995 5d24f 102993->102995 102996 42efd _W_store_winword 60 API calls 102994->102996 102997 23ed0 59 API calls 102995->102997 102998 238b1 102996->102998 102999 5d25c 102997->102999 102998->102973 103000 238bb 102998->103000 102999->102999 103001 42efd _W_store_winword 60 API calls 103000->103001 103002 238c6 103001->103002 103002->102987 103003 23907 103002->103003 103005 23ed0 59 API calls 103002->103005 103003->102987 103004 23914 103003->103004 103103 292ce 103004->103103 103006 238ea 103005->103006 103008 28047 59 API calls 103006->103008 103010 238f8 103008->103010 103012 23ed0 59 API calls 103010->103012 103012->103003 103015 2928a 59 API calls 103017 2394f 103015->103017 103016 28ee0 60 API calls 103016->103017 103017->103015 103017->103016 103018 23ed0 59 API calls 103017->103018 103019 23995 Mailbox 103017->103019 103018->103017 103019->102889 103021 27292 __write_nolock 103020->103021 103022 5ea22 _memset 103021->103022 103023 272ab 103021->103023 103025 5ea3e GetOpenFileNameW 103022->103025 103178 24750 103023->103178 103027 5ea8d 103025->103027 103029 27bcc 59 API calls 103027->103029 103031 5eaa2 103029->103031 103031->103031 103033 272c9 103206 2686a 103033->103206 103061->102900 103071 23d3e __write_nolock 103070->103071 103072 27bcc 59 API calls 103071->103072 103078 23ea4 Mailbox 103071->103078 103074 23d70 103072->103074 103073 279f2 59 API calls 103073->103074 103074->103073 103083 23da6 Mailbox 103074->103083 103075 279f2 59 API calls 103075->103083 103076 23e77 103077 27de1 59 API calls 103076->103077 103076->103078 103080 23e98 103077->103080 103078->102943 103079 27de1 59 API calls 103079->103083 103081 23f74 59 API calls 103080->103081 103081->103078 103083->103075 103083->103076 103083->103078 103083->103079 103158 23f74 103083->103158 103085 40db6 Mailbox 59 API calls 103084->103085 103086 237fb 103085->103086 103086->102964 103088 23ef3 103087->103088 103089 23eda 103087->103089 103090 27bcc 59 API calls 103088->103090 103091 28047 59 API calls 103089->103091 103092 23879 103090->103092 103091->103092 103093 42efd 103092->103093 103094 42f7e 103093->103094 103095 42f09 103093->103095 103166 42f90 60 API calls 3 library calls 103094->103166 103102 42f2e 103095->103102 103164 48b28 58 API calls __getptd_noexit 103095->103164 103098 42f8b 103098->102989 103099 42f15 103165 48db6 9 API calls __woutput_l 103099->103165 103101 42f20 103101->102989 103102->102989 103104 292d6 103103->103104 103105 40db6 Mailbox 59 API calls 103104->103105 103106 292e4 103105->103106 103107 23924 103106->103107 103167 291fc 59 API calls Mailbox 103106->103167 103109 29050 103107->103109 103168 29160 103109->103168 103111 2905f 103112 40db6 Mailbox 59 API calls 103111->103112 103113 23932 103111->103113 103112->103113 103114 28ee0 103113->103114 103115 5f17c 103114->103115 103120 28ef7 103114->103120 103115->103120 103176 28bdb 59 API calls Mailbox 103115->103176 103117 29040 103119 29d3c 60 API calls 103117->103119 103118 28ff8 103121 40db6 Mailbox 59 API calls 103118->103121 103122 28fff 103119->103122 103120->103117 103120->103118 103120->103122 103121->103122 103122->103017 103124 24ee5 85 API calls 103123->103124 103125 895ca 103124->103125 103126 89734 96 API calls 103125->103126 103127 895dc 103126->103127 103128 24f0b 74 API calls 103127->103128 103156 5d186 103127->103156 103129 895f7 103128->103129 103130 24f0b 74 API calls 103129->103130 103131 89607 103130->103131 103132 24f0b 74 API calls 103131->103132 103133 89622 103132->103133 103134 24f0b 74 API calls 103133->103134 103135 8963d 103134->103135 103136 24ee5 85 API calls 103135->103136 103137 89654 103136->103137 103138 4571c __malloc_crt 58 API calls 103137->103138 103139 8965b 103138->103139 103140 4571c __malloc_crt 58 API calls 103139->103140 103141 89665 103140->103141 103142 24f0b 74 API calls 103141->103142 103143 89679 103142->103143 103144 89109 GetSystemTimeAsFileTime 103143->103144 103145 8968c 103144->103145 103146 896a1 103145->103146 103147 896b6 103145->103147 103150 42d55 _free 58 API calls 103146->103150 103148 8971b 103147->103148 103149 896bc 103147->103149 103152 42d55 _free 58 API calls 103148->103152 103177 88b06 116 API calls __fcloseall 103149->103177 103153 896a7 103150->103153 103152->103156 103154 42d55 _free 58 API calls 103153->103154 103154->103156 103155 89713 103157 42d55 _free 58 API calls 103155->103157 103156->102955 103156->102958 103157->103156 103159 23f82 103158->103159 103163 23fa4 _memmove 103158->103163 103162 40db6 Mailbox 59 API calls 103159->103162 103160 40db6 Mailbox 59 API calls 103161 23fb8 103160->103161 103161->103083 103162->103163 103163->103160 103164->103099 103165->103101 103166->103098 103167->103107 103169 29169 Mailbox 103168->103169 103170 5f19f 103169->103170 103175 29173 103169->103175 103171 40db6 Mailbox 59 API calls 103170->103171 103173 5f1ab 103171->103173 103172 2917a 103172->103111 103174 29c90 Mailbox 59 API calls 103174->103175 103175->103172 103175->103174 103176->103120 103177->103155 103240 51940 103178->103240 103181 24799 103184 27d8c 59 API calls 103181->103184 103182 2477c 103183 27bcc 59 API calls 103182->103183 103185 24788 103183->103185 103184->103185 103242 27726 103185->103242 103188 40791 103189 51940 __write_nolock 103188->103189 103190 4079e GetLongPathNameW 103189->103190 103191 27bcc 59 API calls 103190->103191 103192 272bd 103191->103192 103193 2700b 103192->103193 103194 27667 59 API calls 103193->103194 103195 2701d 103194->103195 103196 24750 60 API calls 103195->103196 103197 27028 103196->103197 103198 5e885 103197->103198 103199 27033 103197->103199 103205 5e89f 103198->103205 103252 27908 61 API calls 103198->103252 103200 23f74 59 API calls 103199->103200 103202 2703f 103200->103202 103246 234c2 103202->103246 103204 27052 Mailbox 103204->103033 103207 24ddd 136 API calls 103206->103207 103208 2688f 103207->103208 103209 5e031 103208->103209 103210 24ddd 136 API calls 103208->103210 103211 8955b 122 API calls 103209->103211 103212 268a3 103210->103212 103213 5e046 103211->103213 103212->103209 103216 268ab 103212->103216 103214 5e067 103213->103214 103215 5e04a 103213->103215 103218 40db6 Mailbox 59 API calls 103214->103218 103217 24e4a 84 API calls 103215->103217 103219 268b7 103216->103219 103220 5e052 103216->103220 103217->103220 103253 26a8c 103219->103253 103346 842f8 90 API calls _wprintf 103220->103346 103241 2475d GetFullPathNameW 103240->103241 103241->103181 103241->103182 103243 27734 103242->103243 103244 27d2c 59 API calls 103243->103244 103245 24794 103244->103245 103245->103188 103247 234d4 103246->103247 103251 234f3 _memmove 103246->103251 103249 40db6 Mailbox 59 API calls 103247->103249 103248 40db6 Mailbox 59 API calls 103250 2350a 103248->103250 103249->103251 103250->103204 103251->103248 103252->103198 103458 21016 103463 24974 103458->103463 103461 42d40 __cinit 67 API calls 103462 21025 103461->103462 103464 40db6 Mailbox 59 API calls 103463->103464 103465 2497c 103464->103465 103466 2101b 103465->103466 103470 24936 103465->103470 103466->103461 103471 24951 103470->103471 103472 2493f 103470->103472 103474 249a0 103471->103474 103473 42d40 __cinit 67 API calls 103472->103473 103473->103471 103475 27667 59 API calls 103474->103475 103476 249b8 GetVersionExW 103475->103476 103477 27bcc 59 API calls 103476->103477 103478 249fb 103477->103478 103479 27d2c 59 API calls 103478->103479 103482 24a28 103478->103482 103480 24a1c 103479->103480 103481 27726 59 API calls 103480->103481 103481->103482 103483 5d864 103482->103483 103484 24a93 GetCurrentProcess IsWow64Process 103482->103484 103485 24aac 103484->103485 103486 24ac2 103485->103486 103487 24b2b GetSystemInfo 103485->103487 103498 24b37 103486->103498 103488 24af8 103487->103488 103488->103466 103491 24ad4 103493 24b37 2 API calls 103491->103493 103492 24b1f GetSystemInfo 103494 24ae9 103492->103494 103495 24adc GetNativeSystemInfo 103493->103495 103494->103488 103496 24aef FreeLibrary 103494->103496 103495->103494 103496->103488 103499 24ad0 103498->103499 103500 24b40 LoadLibraryA 103498->103500 103499->103491 103499->103492 103500->103499 103501 24b51 GetProcAddress 103500->103501 103501->103499 103502 21066 103507 2f76f 103502->103507 103504 2106c 103505 42d40 __cinit 67 API calls 103504->103505 103506 21076 103505->103506 103508 2f790 103507->103508 103540 3ff03 103508->103540 103512 2f7d7 103513 27667 59 API calls 103512->103513 103514 2f7e1 103513->103514 103515 27667 59 API calls 103514->103515 103516 2f7eb 103515->103516 103517 27667 59 API calls 103516->103517 103518 2f7f5 103517->103518 103519 27667 59 API calls 103518->103519 103520 2f833 103519->103520 103521 27667 59 API calls 103520->103521 103522 2f8fe 103521->103522 103550 35f87 103522->103550 103526 2f930 103527 27667 59 API calls 103526->103527 103528 2f93a 103527->103528 103578 3fd9e 103528->103578 103530 2f981 103531 2f991 GetStdHandle 103530->103531 103532 645ab 103531->103532 103533 2f9dd 103531->103533 103532->103533 103535 645b4 103532->103535 103534 2f9e5 OleInitialize 103533->103534 103534->103504 103585 86b38 64 API calls Mailbox 103535->103585 103537 645bb 103586 87207 CreateThread 103537->103586 103539 645c7 CloseHandle 103539->103534 103587 3ffdc 103540->103587 103543 3ffdc 59 API calls 103544 3ff45 103543->103544 103545 27667 59 API calls 103544->103545 103546 3ff51 103545->103546 103547 27bcc 59 API calls 103546->103547 103548 2f796 103547->103548 103549 40162 6 API calls 103548->103549 103549->103512 103551 27667 59 API calls 103550->103551 103552 35f97 103551->103552 103553 27667 59 API calls 103552->103553 103554 35f9f 103553->103554 103594 35a9d 103554->103594 103557 35a9d 59 API calls 103558 35faf 103557->103558 103559 27667 59 API calls 103558->103559 103560 35fba 103559->103560 103561 40db6 Mailbox 59 API calls 103560->103561 103562 2f908 103561->103562 103563 360f9 103562->103563 103564 36107 103563->103564 103565 27667 59 API calls 103564->103565 103566 36112 103565->103566 103567 27667 59 API calls 103566->103567 103568 3611d 103567->103568 103569 27667 59 API calls 103568->103569 103570 36128 103569->103570 103571 27667 59 API calls 103570->103571 103572 36133 103571->103572 103573 35a9d 59 API calls 103572->103573 103574 3613e 103573->103574 103575 40db6 Mailbox 59 API calls 103574->103575 103576 36145 RegisterWindowMessageW 103575->103576 103576->103526 103579 7576f 103578->103579 103580 3fdae 103578->103580 103597 89ae7 60 API calls 103579->103597 103581 40db6 Mailbox 59 API calls 103580->103581 103584 3fdb6 103581->103584 103583 7577a 103584->103530 103585->103537 103586->103539 103598 871ed 65 API calls 103586->103598 103588 27667 59 API calls 103587->103588 103589 3ffe7 103588->103589 103590 27667 59 API calls 103589->103590 103591 3ffef 103590->103591 103592 27667 59 API calls 103591->103592 103593 3ff3b 103592->103593 103593->103543 103595 27667 59 API calls 103594->103595 103596 35aa5 103595->103596 103596->103557 103597->103583 103599 21055 103604 22649 103599->103604 103602 42d40 __cinit 67 API calls 103603 21064 103602->103603 103605 27667 59 API calls 103604->103605 103606 226b7 103605->103606 103611 23582 103606->103611 103609 22754 103610 2105a 103609->103610 103614 23416 59 API calls 2 library calls 103609->103614 103610->103602 103615 235b0 103611->103615 103614->103609 103616 235bd 103615->103616 103617 235a1 103615->103617 103616->103617 103618 235c4 RegOpenKeyExW 103616->103618 103617->103609 103618->103617 103619 235de RegQueryValueExW 103618->103619 103620 23614 RegCloseKey 103619->103620 103621 235ff 103619->103621 103620->103617 103621->103620 103622 6416f 103626 75fe6 103622->103626 103624 6417a 103625 75fe6 85 API calls 103624->103625 103625->103624 103628 75ff3 103626->103628 103636 76020 103626->103636 103627 76022 103638 29328 84 API calls Mailbox 103627->103638 103628->103627 103630 76027 103628->103630 103634 7601a 103628->103634 103628->103636 103631 29837 84 API calls 103630->103631 103632 7602e 103631->103632 103633 27b2e 59 API calls 103632->103633 103633->103636 103637 295a0 59 API calls _wcsstr 103634->103637 103636->103624 103637->103636 103638->103630 103639 5fdfc 103656 2ab30 Mailbox _memmove 103639->103656 103641 7617e Mailbox 59 API calls 103654 2a057 103641->103654 103642 29c90 Mailbox 59 API calls 103642->103656 103643 40db6 59 API calls Mailbox 103643->103656 103644 2b525 103739 89e4a 89 API calls 4 library calls 103644->103739 103647 40db6 59 API calls Mailbox 103664 29f37 Mailbox 103647->103664 103648 609e5 103743 89e4a 89 API calls 4 library calls 103648->103743 103649 60055 103738 89e4a 89 API calls 4 library calls 103649->103738 103650 2b900 60 API calls 103650->103664 103651 2b475 103657 28047 59 API calls 103651->103657 103655 60064 103656->103642 103656->103643 103656->103644 103656->103654 103656->103664 103666 27de1 59 API calls 103656->103666 103670 9bc6b 331 API calls 103656->103670 103673 2b2b6 103656->103673 103675 29ea0 331 API calls 103656->103675 103676 6086a 103656->103676 103678 60878 103656->103678 103680 6085c 103656->103680 103681 2b21c 103656->103681 103685 76e8f 59 API calls 103656->103685 103688 9df37 103656->103688 103691 9df23 103656->103691 103694 9c2e0 103656->103694 103726 87956 103656->103726 103732 7617e 103656->103732 103737 9c193 85 API calls 2 library calls 103656->103737 103657->103654 103658 2b47a 103658->103648 103658->103649 103661 27667 59 API calls 103661->103664 103663 28047 59 API calls 103663->103664 103664->103647 103664->103649 103664->103650 103664->103651 103664->103654 103664->103658 103664->103661 103664->103663 103665 42d40 67 API calls __cinit 103664->103665 103667 76e8f 59 API calls 103664->103667 103668 609d6 103664->103668 103672 2a55a 103664->103672 103735 2c8c0 331 API calls 2 library calls 103664->103735 103665->103664 103666->103656 103667->103664 103742 89e4a 89 API calls 4 library calls 103668->103742 103670->103656 103741 89e4a 89 API calls 4 library calls 103672->103741 103736 2f6a3 331 API calls 103673->103736 103675->103656 103677 29c90 Mailbox 59 API calls 103676->103677 103677->103680 103740 89e4a 89 API calls 4 library calls 103678->103740 103680->103641 103680->103654 103682 29d3c 60 API calls 103681->103682 103683 2b22d 103682->103683 103684 29d3c 60 API calls 103683->103684 103684->103673 103685->103656 103744 9cadd 103688->103744 103690 9df47 103690->103656 103692 9cadd 130 API calls 103691->103692 103693 9df33 103692->103693 103693->103656 103695 27667 59 API calls 103694->103695 103696 9c2f4 103695->103696 103697 27667 59 API calls 103696->103697 103698 9c2fc 103697->103698 103699 27667 59 API calls 103698->103699 103700 9c304 103699->103700 103701 29837 84 API calls 103700->103701 103725 9c312 103701->103725 103702 27924 59 API calls 103702->103725 103703 27bcc 59 API calls 103703->103725 103704 9c4fb 103705 9c528 Mailbox 103704->103705 103835 29a3c 59 API calls Mailbox 103704->103835 103705->103656 103707 9c4e2 103709 27cab 59 API calls 103707->103709 103708 28047 59 API calls 103708->103725 103711 9c4ef 103709->103711 103710 9c4fd 103712 27cab 59 API calls 103710->103712 103714 27b2e 59 API calls 103711->103714 103715 9c50c 103712->103715 103713 27e4f 59 API calls 103717 9c3a9 CharUpperBuffW 103713->103717 103714->103704 103718 27b2e 59 API calls 103715->103718 103716 27e4f 59 API calls 103719 9c469 CharUpperBuffW 103716->103719 103833 2843a 68 API calls 103717->103833 103718->103704 103834 2c5a7 69 API calls 2 library calls 103719->103834 103722 27cab 59 API calls 103722->103725 103723 29837 84 API calls 103723->103725 103724 27b2e 59 API calls 103724->103725 103725->103702 103725->103703 103725->103704 103725->103705 103725->103707 103725->103708 103725->103710 103725->103713 103725->103716 103725->103722 103725->103723 103725->103724 103727 87962 103726->103727 103728 40db6 Mailbox 59 API calls 103727->103728 103729 87970 103728->103729 103730 8797e 103729->103730 103731 27667 59 API calls 103729->103731 103730->103656 103731->103730 103836 760c0 103732->103836 103734 7618c 103734->103656 103735->103664 103736->103644 103737->103656 103738->103655 103739->103680 103740->103680 103741->103654 103742->103648 103743->103654 103745 29837 84 API calls 103744->103745 103746 9cb1a 103745->103746 103769 9cb61 Mailbox 103746->103769 103782 9d7a5 103746->103782 103748 9cdb9 103749 9cf2e 103748->103749 103753 9cdc7 103748->103753 103820 9d8c8 92 API calls Mailbox 103749->103820 103752 9cf3d 103752->103753 103754 9cf49 103752->103754 103795 9c96e 103753->103795 103754->103769 103755 29837 84 API calls 103772 9cbb2 Mailbox 103755->103772 103760 9ce00 103810 40c08 103760->103810 103763 9ce1a 103816 89e4a 89 API calls 4 library calls 103763->103816 103764 9ce33 103766 292ce 59 API calls 103764->103766 103768 9ce3f 103766->103768 103767 9ce25 GetCurrentProcess TerminateProcess 103767->103764 103770 29050 59 API calls 103768->103770 103769->103690 103771 9ce55 103770->103771 103779 9ce7c 103771->103779 103817 28d40 59 API calls Mailbox 103771->103817 103772->103748 103772->103755 103772->103769 103814 9fbce 59 API calls 2 library calls 103772->103814 103815 9cfdf 61 API calls 2 library calls 103772->103815 103774 9cfa4 103774->103769 103777 9cfb8 FreeLibrary 103774->103777 103775 9ce6b 103818 9d649 107 API calls _free 103775->103818 103777->103769 103779->103774 103781 29d3c 60 API calls 103779->103781 103819 28d40 59 API calls Mailbox 103779->103819 103821 9d649 107 API calls _free 103779->103821 103781->103779 103783 27e4f 59 API calls 103782->103783 103784 9d7c0 CharLowerBuffW 103783->103784 103822 7f167 103784->103822 103788 27667 59 API calls 103789 9d7f9 103788->103789 103790 2784b 59 API calls 103789->103790 103791 9d810 103790->103791 103792 27d2c 59 API calls 103791->103792 103793 9d81c Mailbox 103792->103793 103794 9d858 Mailbox 103793->103794 103829 9cfdf 61 API calls 2 library calls 103793->103829 103794->103772 103796 9c9de 103795->103796 103797 9c989 103795->103797 103801 9da50 103796->103801 103798 40db6 Mailbox 59 API calls 103797->103798 103800 9c9ab 103798->103800 103799 40db6 Mailbox 59 API calls 103799->103800 103800->103796 103800->103799 103802 9dc79 Mailbox 103801->103802 103806 9da73 _strcat _wcscpy __wsetenvp 103801->103806 103802->103760 103803 29be6 59 API calls 103803->103806 103804 29b3c 59 API calls 103804->103806 103805 29b98 59 API calls 103805->103806 103806->103802 103806->103803 103806->103804 103806->103805 103807 29837 84 API calls 103806->103807 103808 4571c 58 API calls __malloc_crt 103806->103808 103832 85887 61 API calls 2 library calls 103806->103832 103807->103806 103808->103806 103811 40c1d 103810->103811 103812 40cb5 VirtualProtect 103811->103812 103813 40c83 103811->103813 103812->103813 103813->103763 103813->103764 103814->103772 103815->103772 103816->103767 103817->103775 103818->103779 103819->103779 103820->103752 103821->103779 103823 7f192 __wsetenvp 103822->103823 103824 7f1d1 103823->103824 103827 7f1c7 103823->103827 103828 7f278 103823->103828 103824->103788 103824->103793 103827->103824 103830 278c4 61 API calls 103827->103830 103828->103824 103831 278c4 61 API calls 103828->103831 103829->103794 103830->103827 103831->103828 103832->103806 103833->103725 103834->103725 103835->103705 103837 760cb 103836->103837 103838 760e8 103836->103838 103837->103838 103840 760ab 59 API calls Mailbox 103837->103840 103838->103734 103840->103837 103841 19a7f30 103855 19a5b80 103841->103855 103843 19a7fc3 103858 19a7e20 103843->103858 103861 19a8ff0 GetPEB 103855->103861 103857 19a620b 103857->103843 103859 19a7e29 Sleep 103858->103859 103860 19a7e37 103859->103860 103862 19a901a 103861->103862 103862->103857 103863 2be19 103864 2be22 103863->103864 103877 2baab 103863->103877 103865 29837 84 API calls 103864->103865 103873 2ba8b Mailbox 103864->103873 103864->103877 103866 2be4d 103865->103866 103867 6107b 103866->103867 103868 2be5d 103866->103868 103878 77bdb 59 API calls _memmove 103867->103878 103869 27a51 59 API calls 103868->103869 103869->103873 103871 61085 103872 28047 59 API calls 103871->103872 103872->103873 103875 61361 103873->103875 103873->103877 103880 28cd4 59 API calls Mailbox 103873->103880 103875->103877 103879 43d46 59 API calls __wtof_l 103875->103879 103878->103871 103879->103877 103880->103873 103881 2107d 103886 2708b 103881->103886 103883 2108c 103884 42d40 __cinit 67 API calls 103883->103884 103885 21096 103884->103885 103887 2709b __write_nolock 103886->103887 103888 27667 59 API calls 103887->103888 103889 27151 103888->103889 103890 24706 61 API calls 103889->103890 103891 2715a 103890->103891 103917 4050b 103891->103917 103894 27cab 59 API calls 103895 27173 103894->103895 103896 23f74 59 API calls 103895->103896 103897 27182 103896->103897 103898 27667 59 API calls 103897->103898 103899 2718b 103898->103899 103900 27d8c 59 API calls 103899->103900 103901 27194 RegOpenKeyExW 103900->103901 103902 5e8b1 RegQueryValueExW 103901->103902 103906 271b6 Mailbox 103901->103906 103903 5e943 RegCloseKey 103902->103903 103904 5e8ce 103902->103904 103903->103906 103915 5e955 _wcscat Mailbox __wsetenvp 103903->103915 103905 40db6 Mailbox 59 API calls 103904->103905 103907 5e8e7 103905->103907 103906->103883 103908 2522e 59 API calls 103907->103908 103909 5e8f2 RegQueryValueExW 103908->103909 103910 5e90f 103909->103910 103912 5e929 103909->103912 103911 27bcc 59 API calls 103910->103911 103911->103912 103912->103903 103913 27de1 59 API calls 103913->103915 103914 23f74 59 API calls 103914->103915 103915->103906 103915->103913 103915->103914 103916 279f2 59 API calls 103915->103916 103916->103915 103918 51940 __write_nolock 103917->103918 103919 40518 GetFullPathNameW 103918->103919 103920 4053a 103919->103920 103921 27bcc 59 API calls 103920->103921 103922 27165 103921->103922 103922->103894

              Executed Functions

              Function 00023B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00023B68
              • IsDebuggerPresent.KERNEL32 ref: 00023B7A
              • GetFullPathNameW.KERNEL32(00007FFF,?,?,000E52F8,000E52E0,?,?), ref: 00023BEB
                • Part of subcall function 00027BCC: _memmove.LIBCMT ref: 00027C06
                • Part of subcall function 0003092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00023C14,000E52F8,?,?,?), ref: 0003096E
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00023C6F
              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,000D7770,00000010), ref: 0005D281
              • SetCurrentDirectoryW.KERNEL32(?,000E52F8,?,?,?), ref: 0005D2B9
              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,000D4260,000E52F8,?,?,?), ref: 0005D33F
              • ShellExecuteW.SHELL32(00000000,?,?), ref: 0005D346
                • Part of subcall function 00023A46: GetSysColorBrush.USER32(0000000F), ref: 00023A50
                • Part of subcall function 00023A46: LoadCursorW.USER32(00000000,00007F00), ref: 00023A5F
                • Part of subcall function 00023A46: LoadIconW.USER32(00000063), ref: 00023A76
                • Part of subcall function 00023A46: LoadIconW.USER32(000000A4), ref: 00023A88
                • Part of subcall function 00023A46: LoadIconW.USER32(000000A2), ref: 00023A9A
                • Part of subcall function 00023A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00023AC0
                • Part of subcall function 00023A46: RegisterClassExW.USER32(?), ref: 00023B16
                • Part of subcall function 000239D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00023A03
                • Part of subcall function 000239D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00023A24
                • Part of subcall function 000239D5: ShowWindow.USER32(00000000,?,?), ref: 00023A38
                • Part of subcall function 000239D5: ShowWindow.USER32(00000000,?,?), ref: 00023A41
                • Part of subcall function 0002434A: _memset.LIBCMT ref: 00024370
                • Part of subcall function 0002434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00024415
              Strings
              • runas, xrefs: 0005D33A
              • This is a third-party compiled AutoIt script., xrefs: 0005D279
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
              • String ID: This is a third-party compiled AutoIt script.$runas
              • API String ID: 529118366-3287110873
              • Opcode ID: 9c3a7196ba76ab9681a475955825efa00fb2e5f5d73cb95b6d6361c4c18e364b
              • Instruction ID: 8af1114b915be1d92a949ee641ec16704efaf558545b207ffe1a9f6ae5e8b13d
              • Opcode Fuzzy Hash: 9c3a7196ba76ab9681a475955825efa00fb2e5f5d73cb95b6d6361c4c18e364b
              • Instruction Fuzzy Hash: 7A513730D08698AEDF11EBB4FC46AFD7B78AF46705F10446AF615BA162CA784605CB20
              Function 000249A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 996 249a0-24a00 call 27667 GetVersionExW call 27bcc 1001 24a06 996->1001 1002 24b0b-24b0d 996->1002 1004 24a09-24a0e 1001->1004 1003 5d767-5d773 1002->1003 1005 5d774-5d778 1003->1005 1006 24b12-24b13 1004->1006 1007 24a14 1004->1007 1009 5d77b-5d787 1005->1009 1010 5d77a 1005->1010 1008 24a15-24a4c call 27d2c call 27726 1006->1008 1007->1008 1018 24a52-24a53 1008->1018 1019 5d864-5d867 1008->1019 1009->1005 1012 5d789-5d78e 1009->1012 1010->1009 1012->1004 1014 5d794-5d79b 1012->1014 1014->1003 1016 5d79d 1014->1016 1020 5d7a2-5d7a5 1016->1020 1018->1020 1021 24a59-24a64 1018->1021 1022 5d880-5d884 1019->1022 1023 5d869 1019->1023 1024 24a93-24aaa GetCurrentProcess IsWow64Process 1020->1024 1025 5d7ab-5d7c9 1020->1025 1026 24a6a-24a6c 1021->1026 1027 5d7ea-5d7f0 1021->1027 1030 5d886-5d88f 1022->1030 1031 5d86f-5d878 1022->1031 1028 5d86c 1023->1028 1032 24aaf-24ac0 1024->1032 1033 24aac 1024->1033 1025->1024 1029 5d7cf-5d7d5 1025->1029 1034 5d805-5d811 1026->1034 1035 24a72-24a75 1026->1035 1038 5d7f2-5d7f5 1027->1038 1039 5d7fa-5d800 1027->1039 1028->1031 1036 5d7d7-5d7da 1029->1036 1037 5d7df-5d7e5 1029->1037 1030->1028 1040 5d891-5d894 1030->1040 1031->1022 1041 24ac2-24ad2 call 24b37 1032->1041 1042 24b2b-24b35 GetSystemInfo 1032->1042 1033->1032 1046 5d813-5d816 1034->1046 1047 5d81b-5d821 1034->1047 1043 5d831-5d834 1035->1043 1044 24a7b-24a8a 1035->1044 1036->1024 1037->1024 1038->1024 1039->1024 1040->1031 1055 24ad4-24ae1 call 24b37 1041->1055 1056 24b1f-24b29 GetSystemInfo 1041->1056 1045 24af8-24b08 1042->1045 1043->1024 1049 5d83a-5d84f 1043->1049 1050 24a90 1044->1050 1051 5d826-5d82c 1044->1051 1046->1024 1047->1024 1053 5d851-5d854 1049->1053 1054 5d859-5d85f 1049->1054 1050->1024 1051->1024 1053->1024 1054->1024 1061 24ae3-24ae7 GetNativeSystemInfo 1055->1061 1062 24b18-24b1d 1055->1062 1058 24ae9-24aed 1056->1058 1058->1045 1060 24aef-24af2 FreeLibrary 1058->1060 1060->1045 1061->1058 1062->1061
              APIs
              • GetVersionExW.KERNEL32(?), ref: 000249CD
                • Part of subcall function 00027BCC: _memmove.LIBCMT ref: 00027C06
              • GetCurrentProcess.KERNEL32(?,000AFAEC,00000000,00000000,?), ref: 00024A9A
              • IsWow64Process.KERNEL32(00000000), ref: 00024AA1
              • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00024AE7
              • FreeLibrary.KERNEL32(00000000), ref: 00024AF2
              • GetSystemInfo.KERNEL32(00000000), ref: 00024B23
              • GetSystemInfo.KERNEL32(00000000), ref: 00024B2F
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
              • String ID:
              • API String ID: 1986165174-0
              • Opcode ID: ba0900a2a91685a0985d810cec029b6800a699ed39e270f8f612d505cbe72637
              • Instruction ID: 129d157a9812fc5fb8e6f784b65412f466d2c85dd253e043c41743569776b28d
              • Opcode Fuzzy Hash: ba0900a2a91685a0985d810cec029b6800a699ed39e270f8f612d505cbe72637
              • Instruction Fuzzy Hash: 9591E33198DBD1DEC771CB7894501ABBFF5AF2A301B4449AED0CB93A02D660E50CC75A
              Function 00024E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1063 24e89-24ea1 CreateStreamOnHGlobal 1064 24ea3-24eba FindResourceExW 1063->1064 1065 24ec1-24ec6 1063->1065 1066 24ec0 1064->1066 1067 5d933-5d942 LoadResource 1064->1067 1066->1065 1067->1066 1068 5d948-5d956 SizeofResource 1067->1068 1068->1066 1069 5d95c-5d967 LockResource 1068->1069 1069->1066 1070 5d96d-5d975 1069->1070 1071 5d979-5d98b 1070->1071 1071->1066
              APIs
              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00024D8E,?,?,00000000,00000000), ref: 00024E99
              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00024D8E,?,?,00000000,00000000), ref: 00024EB0
              • LoadResource.KERNEL32(?,00000000,?,?,00024D8E,?,?,00000000,00000000,?,?,?,?,?,?,00024E2F), ref: 0005D937
              • SizeofResource.KERNEL32(?,00000000,?,?,00024D8E,?,?,00000000,00000000,?,?,?,?,?,?,00024E2F), ref: 0005D94C
              • LockResource.KERNEL32(00024D8E,?,?,00024D8E,?,?,00000000,00000000,?,?,?,?,?,?,00024E2F,00000000), ref: 0005D95F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
              • String ID: SCRIPT
              • API String ID: 3051347437-3967369404
              • Opcode ID: c5eff8b189c4924cecc8d42d2f3ac3aa16a3c8163c1f3cc506a889d156750c2e
              • Instruction ID: 42cc5ecced8320659d555dc72fdad6922e8fd60ff8ff45e63e343d9f6fdc6c7a
              • Opcode Fuzzy Hash: c5eff8b189c4924cecc8d42d2f3ac3aa16a3c8163c1f3cc506a889d156750c2e
              • Instruction Fuzzy Hash: D3115E75240701BFEB218BA5EC88F677BBAFBC6B51F104269F4058A250DB65EC008A60
              Function 0002FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID:
              • API String ID: 3964851224-0
              • Opcode ID: 34222eaf0cbbf0e922e3cd5f1b8331fa89df211d58ec05d86bd58811cadac34e
              • Instruction ID: 6aa70b618c392eb555a9e88903b1695d3498942b2c8ec8b3bac37b317bfd2a28
              • Opcode Fuzzy Hash: 34222eaf0cbbf0e922e3cd5f1b8331fa89df211d58ec05d86bd58811cadac34e
              • Instruction Fuzzy Hash: 6992AA70A083418FD765DF24C490B6BBBE9BF85304F14896DE88A9B362D771EC45CB92
              Function 0008445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNELBASE(?,0005E398), ref: 0008446A
              • FindFirstFileW.KERNELBASE(?,?), ref: 0008447B
              • FindClose.KERNEL32(00000000), ref: 0008448B
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: FileFind$AttributesCloseFirst
              • String ID:
              • API String ID: 48322524-0
              • Opcode ID: 8d455b3c7ab02936f2144ba0d8a6b5884688bb0f266583a6441bcd006af5db49
              • Instruction ID: 4e3dfb740bbd15c23b9aed6bdcfd18a6bc6d202a5e68516c432bb2369ae201b0
              • Opcode Fuzzy Hash: 8d455b3c7ab02936f2144ba0d8a6b5884688bb0f266583a6441bcd006af5db49
              • Instruction Fuzzy Hash: 1AE0D8334109026752107B78EC0D5FA7B9CAF06335F100725F875C10E0EBB85D009795
              Function 0002E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
              Download Yara Rule
              Strings
              • Variable must be of type 'Object'., xrefs: 00063E62
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID:
              • String ID: Variable must be of type 'Object'.
              • API String ID: 0-109567571
              • Opcode ID: 3fc51d110d9cc55af7aed2b8882aa224b2d0462bb73ca999c9bfc16816a23e9d
              • Instruction ID: 0fc78e96a01dc5ca451da6ecb2d02a8a4de07b300a49396198092c3f1d114a7b
              • Opcode Fuzzy Hash: 3fc51d110d9cc55af7aed2b8882aa224b2d0462bb73ca999c9bfc16816a23e9d
              • Instruction Fuzzy Hash: 65A2AD74A40265CFCB64CF54E480AAEB7F2FF59310F64806AE909AB352D735ED42CB91
              Function 000309D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00030A5B
              • timeGetTime.WINMM ref: 00030D16
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00030E53
              • Sleep.KERNEL32(0000000A), ref: 00030E61
              • LockWindowUpdate.USER32(00000000,?,?), ref: 00030EFA
              • DestroyWindow.USER32 ref: 00030F06
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00030F20
              • Sleep.KERNEL32(0000000A,?,?), ref: 00064E83
              • TranslateMessage.USER32(?), ref: 00065C60
              • DispatchMessageW.USER32(?), ref: 00065C6E
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00065C82
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
              • API String ID: 4212290369-3242690629
              • Opcode ID: 7a0887ccb2bbb954466031270588208b8c7eb8d03e3345a90b2e7e3e3f703c75
              • Instruction ID: d35c440980fd2eefb775f3dc18366f744b6674c02ce58a94173025191475c7d0
              • Opcode Fuzzy Hash: 7a0887ccb2bbb954466031270588208b8c7eb8d03e3345a90b2e7e3e3f703c75
              • Instruction Fuzzy Hash: F4B2F270608B41DFD729DF24C894BAEB7E5BF85304F14491DF58A9B2A2CB75E884CB42
              Function 00089155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 524 89155-89205 call 51940 call 40db6 call 2522e call 88f5f call 24ee5 call 4354c 537 892b8-892bf call 89734 524->537 538 8920b-89212 call 89734 524->538 543 892c8 537->543 544 892c1-892c3 537->544 538->544 545 89218-892b6 call 440fb call 42dbc call 42d8d call 440fb call 42d8d * 2 538->545 546 892cb-89387 call 24f0b * 8 call 898e3 call 4525b 543->546 547 8952a-8952b 544->547 545->546 583 89389-8938b 546->583 584 89390-893ab call 88fa5 546->584 551 89548-89558 call 25211 547->551 583->547 587 8943d-89449 call 453a6 584->587 588 893b1-893b9 584->588 595 8944b-8945a DeleteFileW 587->595 596 8945f-89463 587->596 589 893bb-893bf 588->589 590 893c1 588->590 592 893c6-893e4 call 24f0b 589->592 590->592 603 8940e-89424 call 88953 call 44863 592->603 604 893e6-893eb 592->604 595->547 598 89469-894f2 call 440bb call 899ea call 88b06 596->598 599 89505-89519 CopyFileW 596->599 602 8952d-89543 DeleteFileW call 898a2 598->602 620 894f4-89503 DeleteFileW 598->620 601 8951b-89528 DeleteFileW 599->601 599->602 601->547 602->551 617 89429-89434 603->617 605 893ee-89401 call 890dd 604->605 615 89403-8940c 605->615 615->603 617->588 619 8943a 617->619 619->587 620->547
              APIs
                • Part of subcall function 00088F5F: __time64.LIBCMT ref: 00088F69
                • Part of subcall function 00024EE5: _fseek.LIBCMT ref: 00024EFD
              • __wsplitpath.LIBCMT ref: 00089234
                • Part of subcall function 000440FB: __wsplitpath_helper.LIBCMT ref: 0004413B
              • _wcscpy.LIBCMT ref: 00089247
              • _wcscat.LIBCMT ref: 0008925A
              • __wsplitpath.LIBCMT ref: 0008927F
              • _wcscat.LIBCMT ref: 00089295
              • _wcscat.LIBCMT ref: 000892A8
                • Part of subcall function 00088FA5: _memmove.LIBCMT ref: 00088FDE
                • Part of subcall function 00088FA5: _memmove.LIBCMT ref: 00088FED
              • _wcscmp.LIBCMT ref: 000891EF
                • Part of subcall function 00089734: _wcscmp.LIBCMT ref: 00089824
                • Part of subcall function 00089734: _wcscmp.LIBCMT ref: 00089837
              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00089452
              • _wcsncpy.LIBCMT ref: 000894C5
              • DeleteFileW.KERNEL32(?,?), ref: 000894FB
              • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00089511
              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00089522
              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00089534
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
              • String ID:
              • API String ID: 1500180987-0
              • Opcode ID: 95e5412bd975a5245e0837680e0809a29971f1a8c790e399ec4ad1a0b2879380
              • Instruction ID: af96d938139933fc7fc355a33f9622a0df142a22da71a03dba5cec4dae729fa8
              • Opcode Fuzzy Hash: 95e5412bd975a5245e0837680e0809a29971f1a8c790e399ec4ad1a0b2879380
              • Instruction Fuzzy Hash: 5CC12EB1D00229AADF21EF95CC85EEEB7BDEF45310F0440A6F609E6152EB709A448F65
              Function 00023015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00023074
              • RegisterClassExW.USER32(00000030), ref: 0002309E
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000230AF
              • InitCommonControlsEx.COMCTL32(?), ref: 000230CC
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000230DC
              • LoadIconW.USER32(000000A9), ref: 000230F2
              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00023101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 2914291525-1005189915
              • Opcode ID: 08fb0c49be15cec27751497bb6aa02b34d7e62a23ef1a241ea928725f3cbecec
              • Instruction ID: 25f23b734209bc0a7902d8836f3ee58853f85ee65904dfd9cd438abc27c0ed42
              • Opcode Fuzzy Hash: 08fb0c49be15cec27751497bb6aa02b34d7e62a23ef1a241ea928725f3cbecec
              • Instruction Fuzzy Hash: 15313AB1844746DFEB108FE4EC85ADDBBF0FB0A715F14452AE580EA2A0E7B90585CF51
              Function 00023041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00023074
              • RegisterClassExW.USER32(00000030), ref: 0002309E
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000230AF
              • InitCommonControlsEx.COMCTL32(?), ref: 000230CC
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000230DC
              • LoadIconW.USER32(000000A9), ref: 000230F2
              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00023101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 2914291525-1005189915
              • Opcode ID: 21f560c4b78c1b9b4e8bf03b1d1fb1abee492685fc31d7faa8ffe8b0f3b99902
              • Instruction ID: b23462577d109e71c1c95deaba9714efc183c130fb862fce0dbbcc4a440a4244
              • Opcode Fuzzy Hash: 21f560c4b78c1b9b4e8bf03b1d1fb1abee492685fc31d7faa8ffe8b0f3b99902
              • Instruction Fuzzy Hash: CE21E8B1900659AFEB00DFD4ED88BEDBBF4FB09705F00452AF610BA2A0D7B945448F91
              Function 0002708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00024706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,000E52F8,?,000237AE,?), ref: 00024724
                • Part of subcall function 0004050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00027165), ref: 0004052D
              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 000271A8
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0005E8C8
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0005E909
              • RegCloseKey.ADVAPI32(?), ref: 0005E947
              • _wcscat.LIBCMT ref: 0005E9A0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
              • API String ID: 2673923337-2727554177
              • Opcode ID: 205382305e6b28878a7dc979d74f83e29cfdda8c8213d13ea33244795f025b5f
              • Instruction ID: c166e73eed0a5cb648113bd9a842795d6056b920570ef39826f4aed90b59b8ad
              • Opcode Fuzzy Hash: 205382305e6b28878a7dc979d74f83e29cfdda8c8213d13ea33244795f025b5f
              • Instruction Fuzzy Hash: 4C71CF715083519ED304EF65FC819AFBBE8FF94750F40052EF644AB1A1DB369948CB92
              Function 00023A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00023A50
              • LoadCursorW.USER32(00000000,00007F00), ref: 00023A5F
              • LoadIconW.USER32(00000063), ref: 00023A76
              • LoadIconW.USER32(000000A4), ref: 00023A88
              • LoadIconW.USER32(000000A2), ref: 00023A9A
              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00023AC0
              • RegisterClassExW.USER32(?), ref: 00023B16
                • Part of subcall function 00023041: GetSysColorBrush.USER32(0000000F), ref: 00023074
                • Part of subcall function 00023041: RegisterClassExW.USER32(00000030), ref: 0002309E
                • Part of subcall function 00023041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000230AF
                • Part of subcall function 00023041: InitCommonControlsEx.COMCTL32(?), ref: 000230CC
                • Part of subcall function 00023041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000230DC
                • Part of subcall function 00023041: LoadIconW.USER32(000000A9), ref: 000230F2
                • Part of subcall function 00023041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00023101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
              • String ID: #$0$AutoIt v3
              • API String ID: 423443420-4155596026
              • Opcode ID: 341844d3cf0b4e6c43dc4c59bd81cb03d463f913335fe5a82a09f14a193efcbd
              • Instruction ID: 572e922ea706b394371e7038bc6604dd43b78b09535438f91d2a0959006749a4
              • Opcode Fuzzy Hash: 341844d3cf0b4e6c43dc4c59bd81cb03d463f913335fe5a82a09f14a193efcbd
              • Instruction Fuzzy Hash: 10214D70D04755AFFB10DFA4EC89B9D7BB4FB09B16F00052AF600BA2A1D3B955408F94
              Function 00023633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 767 23633-23681 769 23683-23686 767->769 770 236e1-236e3 767->770 771 236e7 769->771 772 23688-2368f 769->772 770->769 773 236e5 770->773 777 5d0cc-5d0fa call 31070 call 31093 771->777 778 236ed-236f0 771->778 774 23695-2369a 772->774 775 2374b-23753 PostQuitMessage 772->775 776 236ca-236d2 DefWindowProcW 773->776 780 5d154-5d168 call 82527 774->780 781 236a0-236a2 774->781 782 23711-23713 775->782 783 236d8-236de 776->783 812 5d0ff-5d106 777->812 784 236f2-236f3 778->784 785 23715-2373c SetTimer RegisterWindowMessageW 778->785 780->782 806 5d16e 780->806 787 23755-2375f call 244a0 781->787 788 236a8-236ad 781->788 782->783 791 5d06f-5d072 784->791 792 236f9-2370c KillTimer call 2443a call 23114 784->792 785->782 789 2373e-23749 CreatePopupMenu 785->789 807 23764 787->807 795 236b3-236b8 788->795 796 5d139-5d140 788->796 789->782 799 5d074-5d076 791->799 800 5d0a8-5d0c7 MoveWindow 791->800 792->782 804 5d124-5d134 call 82d36 795->804 805 236be-236c4 795->805 796->776 802 5d146-5d14f call 77c36 796->802 808 5d097-5d0a3 SetFocus 799->808 809 5d078-5d07b 799->809 800->782 802->776 804->782 805->776 805->812 806->776 807->782 808->782 809->805 813 5d081-5d092 call 31070 809->813 812->776 817 5d10c-5d11f call 2443a call 2434a 812->817 813->782 817->776
              APIs
              • DefWindowProcW.USER32(?,?,?,?), ref: 000236D2
              • KillTimer.USER32(?,00000001), ref: 000236FC
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0002371F
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0002372A
              • CreatePopupMenu.USER32 ref: 0002373E
              • PostQuitMessage.USER32(00000000), ref: 0002374D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
              • String ID: TaskbarCreated
              • API String ID: 129472671-2362178303
              • Opcode ID: da0a2ba87898180b4f853f8e750e6c4d43c019815259a70da1d6be4a75259e05
              • Instruction ID: b23e29c513aca5cf71258e6ce3834503e6a94e27c3e06b6052121e3bca166bf0
              • Opcode Fuzzy Hash: da0a2ba87898180b4f853f8e750e6c4d43c019815259a70da1d6be4a75259e05
              • Instruction Fuzzy Hash: BD41AFB1104955BBEF345F74FC4DBBE37D8E705301F10092AF646A62E2CA6D9E058321
              Function 00023766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
              Download Yara Rule

              Control-flow Graph

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
              • API String ID: 1825951767-3513169116
              • Opcode ID: 6228f57c5a2b8216ad3362c4445f7c15f872efc1cabb8e37270e3efd12d80ee3
              • Instruction ID: 4b3403bc8d5ee9bce3bcf3401e05335ba0f062f1f90b5350f04ad7d172100393
              • Opcode Fuzzy Hash: 6228f57c5a2b8216ad3362c4445f7c15f872efc1cabb8e37270e3efd12d80ee3
              • Instruction Fuzzy Hash: C5A15E7190022DAADF15EBE0EC91EEEB778BF15300F44042AF515B7192DF785A08CB60
              Function 019A8140 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 942 19a8140-19a81ee call 19a5b80 945 19a81f5-19a821b call 19a9050 CreateFileW 942->945 948 19a821d 945->948 949 19a8222-19a8232 945->949 950 19a836d-19a8371 948->950 957 19a8239-19a8253 VirtualAlloc 949->957 958 19a8234 949->958 951 19a83b3-19a83b6 950->951 952 19a8373-19a8377 950->952 954 19a83b9-19a83c0 951->954 955 19a8379-19a837c 952->955 956 19a8383-19a8387 952->956 961 19a83c2-19a83cd 954->961 962 19a8415-19a842a 954->962 955->956 963 19a8389-19a8393 956->963 964 19a8397-19a839b 956->964 959 19a825a-19a8271 ReadFile 957->959 960 19a8255 957->960 958->950 965 19a8278-19a82b8 VirtualAlloc 959->965 966 19a8273 959->966 960->950 967 19a83cf 961->967 968 19a83d1-19a83dd 961->968 969 19a843a-19a8442 962->969 970 19a842c-19a8437 VirtualFree 962->970 963->964 971 19a83ab 964->971 972 19a839d-19a83a7 964->972 973 19a82ba 965->973 974 19a82bf-19a82da call 19a92a0 965->974 966->950 967->962 975 19a83df-19a83ef 968->975 976 19a83f1-19a83fd 968->976 970->969 971->951 972->971 973->950 982 19a82e5-19a82ef 974->982 978 19a8413 975->978 979 19a840a-19a8410 976->979 980 19a83ff-19a8408 976->980 978->954 979->978 980->978 983 19a8322-19a8336 call 19a90b0 982->983 984 19a82f1-19a8320 call 19a92a0 982->984 989 19a833a-19a833e 983->989 990 19a8338 983->990 984->982 992 19a834a-19a834e 989->992 993 19a8340-19a8344 CloseHandle 989->993 990->950 994 19a835e-19a8367 992->994 995 19a8350-19a835b VirtualFree 992->995 993->992 994->945 994->950 995->994
              APIs
              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 019A8211
              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 019A8437
              Memory Dump Source
              • Source File: 00000000.00000002.2196552170.00000000019A5000.00000040.00000020.00020000.00000000.sdmp, Offset: 019A5000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_19a5000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CreateFileFreeVirtual
              • String ID:
              • API String ID: 204039940-0
              • Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
              • Instruction ID: 89c29edc70400c7414d9578e00d9cad93e95eeb2164a686a2523b214f09e4dcc
              • Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
              • Instruction Fuzzy Hash: C3A11970E00209EFDB14CFA8C894BEEBBB5FF48306F608559E605BB290D7759A45CB94
              Function 000239D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1073 239d5-23a45 CreateWindowExW * 2 ShowWindow * 2
              APIs
              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00023A03
              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00023A24
              • ShowWindow.USER32(00000000,?,?), ref: 00023A38
              • ShowWindow.USER32(00000000,?,?), ref: 00023A41
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Window$CreateShow
              • String ID: AutoIt v3$edit
              • API String ID: 1584632944-3779509399
              • Opcode ID: 7d85b2049cca14d67e8a5ebddebfba3be0f65c7fc092a4d9d5eedb2554331165
              • Instruction ID: b71866a1c45f969b6adacccf8da5fcee09f60b821f7412d40013016f5e258ecb
              • Opcode Fuzzy Hash: 7d85b2049cca14d67e8a5ebddebfba3be0f65c7fc092a4d9d5eedb2554331165
              • Instruction Fuzzy Hash: 27F03A706006D07EFA305763AC88E7B3E7DD7CBF55B00052EBB00BA171C2690840CAB0
              Function 019A7F30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1074 19a7f30-19a8039 call 19a5b80 call 19a7e20 CreateFileW 1081 19a803b 1074->1081 1082 19a8040-19a8050 1074->1082 1083 19a80f0-19a80f5 1081->1083 1085 19a8052 1082->1085 1086 19a8057-19a8071 VirtualAlloc 1082->1086 1085->1083 1087 19a8073 1086->1087 1088 19a8075-19a808c ReadFile 1086->1088 1087->1083 1089 19a808e 1088->1089 1090 19a8090-19a80ca call 19a7e60 call 19a6e20 1088->1090 1089->1083 1095 19a80cc-19a80e1 call 19a7eb0 1090->1095 1096 19a80e6-19a80ee ExitProcess 1090->1096 1095->1096 1096->1083
              APIs
                • Part of subcall function 019A7E20: Sleep.KERNELBASE(000001F4), ref: 019A7E31
              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 019A802F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2196552170.00000000019A5000.00000040.00000020.00020000.00000000.sdmp, Offset: 019A5000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_19a5000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CreateFileSleep
              • String ID: XAQP6LUQBGIX
              • API String ID: 2694422964-3944389635
              • Opcode ID: 658b73981ebde39bdd6c2aa0ef14a0e5c9d29175a15456c1e5c98d050963fd86
              • Instruction ID: fdd95c0219d8d0d6511a3f64e11aa89cbf5926a0b448c5ea0ce48f15ac97e05b
              • Opcode Fuzzy Hash: 658b73981ebde39bdd6c2aa0ef14a0e5c9d29175a15456c1e5c98d050963fd86
              • Instruction Fuzzy Hash: C9518F31D4425AEAEF10DBE4C805BEFBB79AF44301F004598E618BB2C0DB795A48CBA5
              Function 0002407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1098 2407c-24092 1099 24098-240ad call 27a16 1098->1099 1100 2416f-24173 1098->1100 1103 240b3-240d3 call 27bcc 1099->1103 1104 5d3c8-5d3d7 LoadStringW 1099->1104 1107 5d3e2-5d3fa call 27b2e call 26fe3 1103->1107 1108 240d9-240dd 1103->1108 1104->1107 1116 240ed-2416a call 42de0 call 2454e call 42dbc Shell_NotifyIconW call 25904 1107->1116 1120 5d400-5d41e call 27cab call 26fe3 call 27cab 1107->1120 1111 240e3-240e8 call 27b2e 1108->1111 1112 24174-2417d call 28047 1108->1112 1111->1116 1112->1116 1116->1100 1120->1116
              APIs
              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0005D3D7
                • Part of subcall function 00027BCC: _memmove.LIBCMT ref: 00027C06
              • _memset.LIBCMT ref: 000240FC
              • _wcscpy.LIBCMT ref: 00024150
              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00024160
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
              • String ID: Line:
              • API String ID: 3942752672-1585850449
              • Opcode ID: d5635e952f70ef6c513bb848d43a5399d490974cbe3651c6c4c749774a1e9d4e
              • Instruction ID: ebf2133292450458dee083dfacca6381b74cad1189bc849368278cec5d12b271
              • Opcode Fuzzy Hash: d5635e952f70ef6c513bb848d43a5399d490974cbe3651c6c4c749774a1e9d4e
              • Instruction Fuzzy Hash: 5A31F371008754AFE771EB60EC86FDB77E8AF45305F10491EF689960A2DB74A648C783
              Function 0002686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1133 2686a-26891 call 24ddd 1136 5e031-5e041 call 8955b 1133->1136 1137 26897-268a5 call 24ddd 1133->1137 1141 5e046-5e048 1136->1141 1137->1136 1144 268ab-268b1 1137->1144 1142 5e067-5e0af call 40db6 1141->1142 1143 5e04a-5e04d call 24e4a 1141->1143 1153 5e0d4 1142->1153 1154 5e0b1-5e0bb 1142->1154 1148 5e052-5e061 call 842f8 1143->1148 1147 268b7-268d9 call 26a8c 1144->1147 1144->1148 1148->1142 1157 5e0d6-5e0e9 1153->1157 1156 5e0cf-5e0d0 1154->1156 1158 5e0d2 1156->1158 1159 5e0bd-5e0cc 1156->1159 1160 5e260-5e263 call 42d55 1157->1160 1161 5e0ef 1157->1161 1158->1157 1159->1156 1165 5e268-5e271 call 24e4a 1160->1165 1162 5e0f6-5e0f9 call 27480 1161->1162 1166 5e0fe-5e120 call 25db2 call 873e9 1162->1166 1171 5e273-5e283 call 27616 call 25d9b 1165->1171 1177 5e134-5e13e call 873d3 1166->1177 1178 5e122-5e12f 1166->1178 1184 5e288-5e2b8 call 7f7a1 call 40e2c call 42d55 call 24e4a 1171->1184 1186 5e140-5e153 1177->1186 1187 5e158-5e162 call 873bd 1177->1187 1180 5e227-5e237 call 2750f 1178->1180 1180->1166 1189 5e23d-5e25a call 2735d 1180->1189 1184->1171 1186->1180 1196 5e164-5e171 1187->1196 1197 5e176-5e180 call 25e2a 1187->1197 1189->1160 1189->1162 1196->1180 1197->1180 1202 5e186-5e19e call 7f73d 1197->1202 1208 5e1c1-5e1c4 1202->1208 1209 5e1a0-5e1bf call 27de1 call 25904 1202->1209 1211 5e1c6-5e1e1 call 27de1 call 26839 call 25904 1208->1211 1212 5e1f2-5e1f5 1208->1212 1233 5e1e2-5e1f0 call 25db2 1209->1233 1211->1233 1214 5e215-5e218 call 8737f 1212->1214 1215 5e1f7-5e200 call 7f65e 1212->1215 1220 5e21d-5e226 call 40e2c 1214->1220 1215->1184 1227 5e206-5e210 call 40e2c 1215->1227 1220->1180 1227->1166 1233->1220
              APIs
                • Part of subcall function 00024DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,000E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00024E0F
              • _free.LIBCMT ref: 0005E263
              • _free.LIBCMT ref: 0005E2AA
                • Part of subcall function 00026A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00026BAD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _free$CurrentDirectoryLibraryLoad
              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
              • API String ID: 2861923089-1757145024
              • Opcode ID: a94bd17bc3a5b94f40b75f634f76a7161f09d0698530db4abc6dcb7be0be15cb
              • Instruction ID: 1810aa7ad267c1ace7f170529f1f725fec9a5eab3cd351a13169454f988f7776
              • Opcode Fuzzy Hash: a94bd17bc3a5b94f40b75f634f76a7161f09d0698530db4abc6dcb7be0be15cb
              • Instruction Fuzzy Hash: 99919271900269DFCF18EFA4DC819EEB7B8FF09311F104429F855AB2A2DB709A55CB54
              Function 000235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,000235A1,SwapMouseButtons,00000004,?), ref: 000235D4
              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,000235A1,SwapMouseButtons,00000004,?,?,?,?,00022754), ref: 000235F5
              • RegCloseKey.KERNELBASE(00000000,?,?,000235A1,SwapMouseButtons,00000004,?,?,?,?,00022754), ref: 00023617
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CloseOpenQueryValue
              • String ID: Control Panel\Mouse
              • API String ID: 3677997916-824357125
              • Opcode ID: 60ab174540a16fe49397fc72fc2c66fb50e00f91c29c2cdf9218df420558102a
              • Instruction ID: 2a3ce3604dea90835735dd5e1ef2260aded0f389bc41fd8f90bcc676488f8170
              • Opcode Fuzzy Hash: 60ab174540a16fe49397fc72fc2c66fb50e00f91c29c2cdf9218df420558102a
              • Instruction Fuzzy Hash: 59111875611228BFDB208FA4EC48EBFB7BCEF05740F118569E805D7210E6759E509B64
              Function 019A6E20 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNELBASE(?,00000000), ref: 019A75DB
              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 019A7671
              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 019A7693
              Memory Dump Source
              • Source File: 00000000.00000002.2196552170.00000000019A5000.00000040.00000020.00020000.00000000.sdmp, Offset: 019A5000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_19a5000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Process$ContextCreateMemoryReadThreadWow64
              • String ID:
              • API String ID: 2438371351-0
              • Opcode ID: fc310a6135c3389c0587bc6629e9838c2c50d5be0bfc8bfa2df8a04cac11b1e3
              • Instruction ID: a8457f44011d0e70c6e9405283a8cd4cb931396718bb3beb69e127caf5c08c6f
              • Opcode Fuzzy Hash: fc310a6135c3389c0587bc6629e9838c2c50d5be0bfc8bfa2df8a04cac11b1e3
              • Instruction Fuzzy Hash: D9621B30A14218DBEB24CFA4C841BDEB776EF58301F5091A9D20DEB390E7769E85CB59
              Function 0008955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00024EE5: _fseek.LIBCMT ref: 00024EFD
                • Part of subcall function 00089734: _wcscmp.LIBCMT ref: 00089824
                • Part of subcall function 00089734: _wcscmp.LIBCMT ref: 00089837
              • _free.LIBCMT ref: 000896A2
              • _free.LIBCMT ref: 000896A9
              • _free.LIBCMT ref: 00089714
                • Part of subcall function 00042D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00049A24), ref: 00042D69
                • Part of subcall function 00042D55: GetLastError.KERNEL32(00000000,?,00049A24), ref: 00042D7B
              • _free.LIBCMT ref: 0008971C
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
              • String ID:
              • API String ID: 1552873950-0
              • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
              • Instruction ID: 2ab92d2c0335ce52d57bcaa7722e1e599d923278d8e8ac8c2d24ed31c66bf368
              • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
              • Instruction Fuzzy Hash: 995132B1D04258ABDF259F64DC41AEEBB79FF48300F1444AEF549A3242DB715A80CF58
              Function 0004470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
              • String ID:
              • API String ID: 2782032738-0
              • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
              • Instruction ID: 7734e805009f182c970bc29d4050717703bb05ae10a4e98c645e5c8c3610aeef
              • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
              • Instruction Fuzzy Hash: 4641E4F4B04746ABDB28CF69C880AAE77E5EF42360B24857DE815C7641EB70DD428B48
              Function 000244A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000244CF
                • Part of subcall function 0002407C: _memset.LIBCMT ref: 000240FC
                • Part of subcall function 0002407C: _wcscpy.LIBCMT ref: 00024150
                • Part of subcall function 0002407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00024160
              • KillTimer.USER32(?,00000001,?,?), ref: 00024524
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00024533
              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0005D4B9
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
              • String ID:
              • API String ID: 1378193009-0
              • Opcode ID: d692ffc10703aba676216f42b0283f78554f9b35b28a05181c51e6f0cb8379a9
              • Instruction ID: f9b9b2493ba4d6b0f2db277d44d5caeb25671208eabc3b18457edbc752bbd1f9
              • Opcode Fuzzy Hash: d692ffc10703aba676216f42b0283f78554f9b35b28a05181c51e6f0cb8379a9
              • Instruction Fuzzy Hash: 7721C570904BA49FF772CB249855BEBBBEC9B06319F04049EEBDA5A142C3746988CB51
              Function 00027285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0005EA39
              • GetOpenFileNameW.COMDLG32(?), ref: 0005EA83
                • Part of subcall function 00024750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00024743,?,?,000237AE,?), ref: 00024770
                • Part of subcall function 00040791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000407B0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Name$Path$FileFullLongOpen_memset
              • String ID: X
              • API String ID: 3777226403-3081909835
              • Opcode ID: a0511a65ef580bf49c9d01ef7f7992e0070b0eaafb4a473275872974f2b06b77
              • Instruction ID: 091f9beaf5cc08e24417dbe2d5cf1eeea5103389da1de0bd85d4973f59810646
              • Opcode Fuzzy Hash: a0511a65ef580bf49c9d01ef7f7992e0070b0eaafb4a473275872974f2b06b77
              • Instruction Fuzzy Hash: 5921D870A042589BDF51DF94DC45BEE7BF8AF49715F00401AE908BB242DFB8598D8FA1
              Function 000898E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
              Download Yara Rule
              APIs
              • GetTempPathW.KERNEL32(00000104,?), ref: 000898F8
              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0008990F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Temp$FileNamePath
              • String ID: aut
              • API String ID: 3285503233-3010740371
              • Opcode ID: c94a505c3e2af739f1086bde87fd4b30824981c448f77f1f5a315138f6061457
              • Instruction ID: b037695be6d31ac0aee4b242d0b02ca3b705e533469cc1a0d0f9284fb5761ba6
              • Opcode Fuzzy Hash: c94a505c3e2af739f1086bde87fd4b30824981c448f77f1f5a315138f6061457
              • Instruction Fuzzy Hash: 80D05E7954030EABEB509BE0DC0EFEA773CE704701F0042B1BB94951A1EEB495988BA1
              Function 0009CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3355b75dbdb50d9603c5682628a380dc2bacc19fac6b9774edb3b9203474b680
              • Instruction ID: 4ee2eb7051ec0684812f06af8eaa03b5c874ecb9a72991675d1b37909192ebeb
              • Opcode Fuzzy Hash: 3355b75dbdb50d9603c5682628a380dc2bacc19fac6b9774edb3b9203474b680
              • Instruction Fuzzy Hash: 21F13871A083059FDB14DF28C490A6ABBE5FF89314F54892EF8999B352D730E945CF82
              Function 0002F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00040162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00040193
                • Part of subcall function 00040162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0004019B
                • Part of subcall function 00040162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 000401A6
                • Part of subcall function 00040162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 000401B1
                • Part of subcall function 00040162: MapVirtualKeyW.USER32(00000011,00000000), ref: 000401B9
                • Part of subcall function 00040162: MapVirtualKeyW.USER32(00000012,00000000), ref: 000401C1
                • Part of subcall function 000360F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0002F930), ref: 00036154
              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0002F9CD
              • OleInitialize.OLE32(00000000), ref: 0002FA4A
              • CloseHandle.KERNEL32(00000000), ref: 000645C8
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
              • String ID:
              • API String ID: 1986988660-0
              • Opcode ID: 86e74cabe9e793d101041eee9bd58af81a069b94dc11975d2722da1ea2fe412f
              • Instruction ID: 1e40cb35bc1c5b10f4c67597692475c9f7786aeb5ba5882dc640471dd1ddd6c3
              • Opcode Fuzzy Hash: 86e74cabe9e793d101041eee9bd58af81a069b94dc11975d2722da1ea2fe412f
              • Instruction Fuzzy Hash: E781C0F0905EC18EA384DF39FD856597AE5BB48B0F750892A9118EF2A2EB7C45808F11
              Function 0002434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00024370
              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00024415
              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00024432
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: IconNotifyShell_$_memset
              • String ID:
              • API String ID: 1505330794-0
              • Opcode ID: 8fd02b385163130d29ca01e3e7c276d331df266647e65762486ac5617fd95545
              • Instruction ID: b338475c45864f43fdf93bc565c55d258d3ba3e6f880d49676729db25c7ae0f2
              • Opcode Fuzzy Hash: 8fd02b385163130d29ca01e3e7c276d331df266647e65762486ac5617fd95545
              • Instruction Fuzzy Hash: CC3191B09047118FD760EF24E88469BBBF8FB49709F000D2EF69A96251E774A948CB52
              Function 0004571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __FF_MSGBANNER.LIBCMT ref: 00045733
                • Part of subcall function 0004A16B: __NMSG_WRITE.LIBCMT ref: 0004A192
                • Part of subcall function 0004A16B: __NMSG_WRITE.LIBCMT ref: 0004A19C
              • __NMSG_WRITE.LIBCMT ref: 0004573A
                • Part of subcall function 0004A1C8: GetModuleFileNameW.KERNEL32(00000000,000E33BA,00000104,?,00000001,00000000), ref: 0004A25A
                • Part of subcall function 0004A1C8: ___crtMessageBoxW.LIBCMT ref: 0004A308
                • Part of subcall function 0004309F: ___crtCorExitProcess.LIBCMT ref: 000430A5
                • Part of subcall function 0004309F: ExitProcess.KERNEL32 ref: 000430AE
                • Part of subcall function 00048B28: __getptd_noexit.LIBCMT ref: 00048B28
              • RtlAllocateHeap.NTDLL(01960000,00000000,00000001,00000000,?,?,?,00040DD3,?), ref: 0004575F
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
              • String ID:
              • API String ID: 1372826849-0
              • Opcode ID: 0cbb64272baa2ee7b5a7e31fa9ba7f678b2ac30cd43e29f1ca55ea5dfb645856
              • Instruction ID: 1932dd592f77310e31f2ef5ceb9ff23917cc642eb6135f88bcf91e8dcd38cadf
              • Opcode Fuzzy Hash: 0cbb64272baa2ee7b5a7e31fa9ba7f678b2ac30cd43e29f1ca55ea5dfb645856
              • Instruction Fuzzy Hash: 3C01D2F1248A01EFE6503B34BC86AAE77888F42763F100539F545AB193DF748D00476D
              Function 000898A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00089548,?,?,?,?,?,00000004), ref: 000898BB
              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00089548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 000898D1
              • CloseHandle.KERNEL32(00000000,?,00089548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 000898D8
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: File$CloseCreateHandleTime
              • String ID:
              • API String ID: 3397143404-0
              • Opcode ID: 1eb6199764db9ca3ee88c54aad16e40df1a57ec20438aa024c2ea35fd48f62f0
              • Instruction ID: dfc3bc79943501399b7a05010e47f8538ae0580a2f7325ee801d8c740e91933c
              • Opcode Fuzzy Hash: 1eb6199764db9ca3ee88c54aad16e40df1a57ec20438aa024c2ea35fd48f62f0
              • Instruction Fuzzy Hash: AAE08632240615FBEB312B94EC09FEA7B59AB07760F144120FB54690E087B516119798
              Function 0002A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID:
              • String ID: CALL
              • API String ID: 0-4196123274
              • Opcode ID: 88d1e5bc8c0ae578e20506b1b002bdbccc90784dbc4accbc00c808a7070833ca
              • Instruction ID: 83d8b7dd86784aa12bd67a5da04b08767ff384b0e85d37bea68b467202e87946
              • Opcode Fuzzy Hash: 88d1e5bc8c0ae578e20506b1b002bdbccc90784dbc4accbc00c808a7070833ca
              • Instruction Fuzzy Hash: 26227970A08321DFDB24DF14D494B6AB7E1BF85300F14896DE88A9B362DB35EC45CB82
              Function 00024C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _memmove
              • String ID: EA06
              • API String ID: 4104443479-3962188686
              • Opcode ID: 180d495032a830a86b7acd3901615877e9093a2e5e6fd36866cb1ad4eeaec3e7
              • Instruction ID: 55d7be5808157e6bf4c2c61a47d34ee6a3d07e9d355f8f93920e225becd82c1d
              • Opcode Fuzzy Hash: 180d495032a830a86b7acd3901615877e9093a2e5e6fd36866cb1ad4eeaec3e7
              • Instruction Fuzzy Hash: 99415A31A041785BDF329B64FC917FE7FA69B46300F684475EC86EB287D6309D4487A1
              Function 00027A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 5de438b4bbeb6ea6bf5d4d191a06a7a70a83262c81ab0dc82e7a250ab2e3169d
              • Instruction ID: 7e09f5e3ab1c9307e681c12f173712997d1183d7e017703a350777a493c93373
              • Opcode Fuzzy Hash: 5de438b4bbeb6ea6bf5d4d191a06a7a70a83262c81ab0dc82e7a250ab2e3169d
              • Instruction Fuzzy Hash: 713175B1604516AFC714DF68D8D1E6DF3E5FF483207158629E919CB691EB30E960CB90
              Function 000247D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
              Download Yara Rule
              APIs
              • IsThemeActive.UXTHEME ref: 00024834
                • Part of subcall function 0004336C: __lock.LIBCMT ref: 00043372
                • Part of subcall function 0004336C: DecodePointer.KERNEL32(00000001,?,00024849,00077C74), ref: 0004337E
                • Part of subcall function 0004336C: EncodePointer.KERNEL32(?,?,00024849,00077C74), ref: 00043389
                • Part of subcall function 000248FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00024915
                • Part of subcall function 000248FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0002492A
                • Part of subcall function 00023B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00023B68
                • Part of subcall function 00023B3A: IsDebuggerPresent.KERNEL32 ref: 00023B7A
                • Part of subcall function 00023B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,000E52F8,000E52E0,?,?), ref: 00023BEB
                • Part of subcall function 00023B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00023C6F
              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00024874
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
              • String ID:
              • API String ID: 1438897964-0
              • Opcode ID: 4c2e557b09d7fa174db4b392d17f8d5abfa4a9bebeb2b4511c04594545916653
              • Instruction ID: dfcb1d680cc2b70e974c7bb457e340ccf1b0bc8f9738f8c0869652a7b7103823
              • Opcode Fuzzy Hash: 4c2e557b09d7fa174db4b392d17f8d5abfa4a9bebeb2b4511c04594545916653
              • Instruction Fuzzy Hash: ED11C0718087519BD700DF68EC4585EBBE8EF99B50F10491FF1449B2B2DB748604CB91
              Function 0003092D Relevance: 3.1, APIs: 2, Instructions: 52COMMON
              Download Yara Rule
              APIs
              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00023C14,000E52F8,?,?,?), ref: 0003096E
                • Part of subcall function 00027BCC: _memmove.LIBCMT ref: 00027C06
              • _wcscat.LIBCMT ref: 00064CB7
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: FullNamePath_memmove_wcscat
              • String ID:
              • API String ID: 257928180-0
              • Opcode ID: 52c604a59141276c2728c0e3619645b23392d7fcd093088449a3908d186378d5
              • Instruction ID: 06cbe9e7fbae41e3b4d22ff1e5e2206afc8c747be142e179e8c82ec402416af6
              • Opcode Fuzzy Hash: 52c604a59141276c2728c0e3619645b23392d7fcd093088449a3908d186378d5
              • Instruction Fuzzy Hash: 0C11A531A062199FDB52FBB4DC56FDDB3FCAF08351F0044A6B948E7292EAB097844711
              Function 00040DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 0004571C: __FF_MSGBANNER.LIBCMT ref: 00045733
                • Part of subcall function 0004571C: __NMSG_WRITE.LIBCMT ref: 0004573A
                • Part of subcall function 0004571C: RtlAllocateHeap.NTDLL(01960000,00000000,00000001,00000000,?,?,?,00040DD3,?), ref: 0004575F
              • std::exception::exception.LIBCMT ref: 00040DEC
              • __CxxThrowException@8.LIBCMT ref: 00040E01
                • Part of subcall function 0004859B: RaiseException.KERNEL32(?,?,?,000D9E78,00000000,?,?,?,?,00040E06,?,000D9E78,?,00000001), ref: 000485F0
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
              • String ID:
              • API String ID: 3902256705-0
              • Opcode ID: 2014f9e758cae4438ab8a1074bd4218dca43f1dab5326aa63e117c57cb237d2e
              • Instruction ID: 8f979f33818fad5a2667476922ca76b2d96394bb2c9621d7db0255df3d165344
              • Opcode Fuzzy Hash: 2014f9e758cae4438ab8a1074bd4218dca43f1dab5326aa63e117c57cb237d2e
              • Instruction Fuzzy Hash: 71F0C8F190431D66DB10BAA9EC019DF7BEC9F01311F10487AFE04A6292DF709A94C2D9
              Function 000453A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00048B28: __getptd_noexit.LIBCMT ref: 00048B28
              • __lock_file.LIBCMT ref: 000453EB
                • Part of subcall function 00046C11: __lock.LIBCMT ref: 00046C34
              • __fclose_nolock.LIBCMT ref: 000453F6
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
              • String ID:
              • API String ID: 2800547568-0
              • Opcode ID: 37438f1e367c6de63dd5249b8f64f1e24e4ceebd3acdf302740e97d65990a265
              • Instruction ID: 05352ffb567cd347f11e6a9208a3d19ee905b148d7a965729f48fe3784340de4
              • Opcode Fuzzy Hash: 37438f1e367c6de63dd5249b8f64f1e24e4ceebd3acdf302740e97d65990a265
              • Instruction Fuzzy Hash: 78F0F6F1800B009BD7206F648C067ED67F06F42377F248524A420AB1C3CBBC4A419B5A
              Function 019A6E1D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNELBASE(?,00000000), ref: 019A75DB
              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 019A7671
              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 019A7693
              Memory Dump Source
              • Source File: 00000000.00000002.2196552170.00000000019A5000.00000040.00000020.00020000.00000000.sdmp, Offset: 019A5000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_19a5000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Process$ContextCreateMemoryReadThreadWow64
              • String ID:
              • API String ID: 2438371351-0
              • Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
              • Instruction ID: 8afcd24b5455a8fda7fccca5c9bd7d508964c381f3c0ef6f142d1d9176eb52cc
              • Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
              • Instruction Fuzzy Hash: CD12DD24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F85CF5A
              Function 00040C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ProtectVirtual
              • String ID:
              • API String ID: 544645111-0
              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction ID: a5de4ff49f3921142e124fdb1c2eb77a74fc765c35cec2198a404b02d5948fa5
              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction Fuzzy Hash: 8131E0B0A00105DBC758DF18D4C4A69F7B6FB89300B2486A5E90AEB351DA31EDC1DBC8
              Function 0005FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: 7cab7c886275969c6495dee894bbc88eb32fbc41730965230773095ae60487ba
              • Instruction ID: 6f867c350023bfc4a7ccdceb4d216ac3e2cfa3df29433b45c03f091a233624a9
              • Opcode Fuzzy Hash: 7cab7c886275969c6495dee894bbc88eb32fbc41730965230773095ae60487ba
              • Instruction Fuzzy Hash: CF4137746083518FDB64DF24C444B2ABBE1BF45318F1988ACE99A8B362C736EC45CF52
              Function 00027B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 430cdf7ebaf7b12899b92cc805d96e7a26445710929f842829462ac299a8e6ad
              • Instruction ID: fce5a3acdcd8120dddc3b4ae46bd79129d7aa2a8de6638d86107739e34036811
              • Opcode Fuzzy Hash: 430cdf7ebaf7b12899b92cc805d96e7a26445710929f842829462ac299a8e6ad
              • Instruction Fuzzy Hash: 08212772A04A19EBDB188F11FC417AE7FB8FB14352F20842EEC8AC5090EB30C294C715
              Function 000308DC Relevance: 1.6, APIs: 1, Instructions: 82COMMON
              Download Yara Rule
              APIs
              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00023C14,000E52F8,?,?,?), ref: 0003096E
                • Part of subcall function 00027BCC: _memmove.LIBCMT ref: 00027C06
              • _wcscat.LIBCMT ref: 00064CB7
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: FullNamePath_memmove_wcscat
              • String ID:
              • API String ID: 257928180-0
              • Opcode ID: 8298bbca1cc11efc2bbdf97897fba65101b390776cd344cc94fcbed23c610477
              • Instruction ID: 8e7342ddfd4b2bac624f8f0b85b9a64482e320afe7104423d5e834da22e6052f
              • Opcode Fuzzy Hash: 8298bbca1cc11efc2bbdf97897fba65101b390776cd344cc94fcbed23c610477
              • Instruction Fuzzy Hash: 2C21053150A2999FDB03DB30CCA1ADABFB8EF07350B0405D6F884DB143C6355B5A8762
              Function 00024DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00024BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00024BEF
                • Part of subcall function 0004525B: __wfsopen.LIBCMT ref: 00045266
              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,000E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00024E0F
                • Part of subcall function 00024B6A: FreeLibrary.KERNEL32(00000000), ref: 00024BA4
                • Part of subcall function 00024C70: _memmove.LIBCMT ref: 00024CBA
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Library$Free$Load__wfsopen_memmove
              • String ID:
              • API String ID: 1396898556-0
              • Opcode ID: fefae274505016ddf869ed69ef714eb201757bf104d9ee04355ce486eadc8fc7
              • Instruction ID: add1538820a2187e7fba187dcc69bb21b9f3ef235f10d00c12bac47185551def
              • Opcode Fuzzy Hash: fefae274505016ddf869ed69ef714eb201757bf104d9ee04355ce486eadc8fc7
              • Instruction Fuzzy Hash: 1F11E731600216ABDF21BFB0DC16FEE77A8AF44710F10842AF941AB183EF7199049B50
              Function 0005FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: 3c9f5aa9d986574baa43c55c8656ebf53848ed1b3709d6e652257485f7f7cd95
              • Instruction ID: 4a522df79fa1ecf8e0d84d471f936389b1dcff423be8b09fc433eab4ae42b62e
              • Opcode Fuzzy Hash: 3c9f5aa9d986574baa43c55c8656ebf53848ed1b3709d6e652257485f7f7cd95
              • Instruction Fuzzy Hash: 532155B4608311DFCB64DF64D444B6ABBE1BF89314F04886CF98A57722CB31E805CB92
              Function 00028248 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(00000000,?,00000000,00000048,-00000003,?,00033E69,?,?,?,-00000003,00000000,00000000), ref: 00028280
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID:
              • API String ID: 3964851224-0
              • Opcode ID: bd90c80f8ffc7fb6824159bde9bc35ac57ccf9202b4a02e363d6604be2176cc3
              • Instruction ID: c79dbaf4986d3e69ce1a1b44065fad97be137317e52a3b3223b1a86ab643f5ef
              • Opcode Fuzzy Hash: bd90c80f8ffc7fb6824159bde9bc35ac57ccf9202b4a02e363d6604be2176cc3
              • Instruction Fuzzy Hash: D8F0C279601E32DBCB215F54E80066AFBA4EF44B60F10C129E64946651CF35D824CBC4
              Function 00044863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
              Download Yara Rule
              APIs
              • __lock_file.LIBCMT ref: 000448A6
                • Part of subcall function 00048B28: __getptd_noexit.LIBCMT ref: 00048B28
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: __getptd_noexit__lock_file
              • String ID:
              • API String ID: 2597487223-0
              • Opcode ID: 1edc67fab104a21a074c1101aaa8c69a8f7d754455c7e79c4b9d1ccafb7b231a
              • Instruction ID: 3f1dc1bb6247a59740825b9c20b153bd99c88494617c77b8a5b97c076778bfae
              • Opcode Fuzzy Hash: 1edc67fab104a21a074c1101aaa8c69a8f7d754455c7e79c4b9d1ccafb7b231a
              • Instruction Fuzzy Hash: D7F0AFF1901609ABDF51AFA48C067EE36E0AF01325F158838B424AA193DF788951DB59
              Function 00024E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
              Download Yara Rule
              APIs
              • FreeLibrary.KERNEL32(?,?,000E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00024E7E
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: FreeLibrary
              • String ID:
              • API String ID: 3664257935-0
              • Opcode ID: efd72df07ca48e966c4ea77070aa8b39897b800e55c872b7bf76d6a5dfa14ef0
              • Instruction ID: 4a6ce1dd97450434cc64e8676e5e9f3b997995f2c0023fc7408ff732d4f267b3
              • Opcode Fuzzy Hash: efd72df07ca48e966c4ea77070aa8b39897b800e55c872b7bf76d6a5dfa14ef0
              • Instruction Fuzzy Hash: 76F03071501721CFEF349F64E494816B7E5BF14329312893EE1D682611C7719840DF40
              Function 00040791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000407B0
                • Part of subcall function 00027BCC: _memmove.LIBCMT ref: 00027C06
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: LongNamePath_memmove
              • String ID:
              • API String ID: 2514874351-0
              • Opcode ID: c201cd4324495a0e0881b7ff1e914e173d3fa9f0a76a563ca0fd5104b9049f20
              • Instruction ID: 7c0aaca0ea4d2875f4967f571875e74b49bb356cdf0b6bd4b05f0b67738c5e15
              • Opcode Fuzzy Hash: c201cd4324495a0e0881b7ff1e914e173d3fa9f0a76a563ca0fd5104b9049f20
              • Instruction Fuzzy Hash: FDE0CD369051285BC721D6989C05FFA77DDDFC97A1F0441B6FC0CD7215DD649C8086D0
              Function 0004525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: __wfsopen
              • String ID:
              • API String ID: 197181222-0
              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
              • Instruction ID: 19a0db27a6a43f4deddc9b53b8460c1b4a8db804ef5104f86bf18e98c36d5b4a
              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
              • Instruction Fuzzy Hash: B4B092B644020C77CE012A82EC02A893B199B46764F408021FB0C18163A6B3A6649A89
              Function 019A7E20 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNELBASE(000001F4), ref: 019A7E31
              Memory Dump Source
              • Source File: 00000000.00000002.2196552170.00000000019A5000.00000040.00000020.00020000.00000000.sdmp, Offset: 019A5000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_19a5000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Sleep
              • String ID:
              • API String ID: 3472027048-0
              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
              • Instruction ID: 891f9a19470b4f37ae08ebaf6a13492d33f7bdcb472bfaa006128a1f1858f9b8
              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
              • Instruction Fuzzy Hash: 4FE0E67594010EDFDB00EFF4D94969E7FB4EF04301F100161FD05D2291D6319D508A62

              Non-executed Functions

              Function 000ACABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00022612: GetWindowLongW.USER32(?,000000EB), ref: 00022623
              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 000ACB37
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000ACB95
              • GetWindowLongW.USER32(?,000000F0), ref: 000ACBD6
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000ACC00
              • SendMessageW.USER32 ref: 000ACC29
              • _wcsncpy.LIBCMT ref: 000ACC95
              • GetKeyState.USER32(00000011), ref: 000ACCB6
              • GetKeyState.USER32(00000009), ref: 000ACCC3
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000ACCD9
              • GetKeyState.USER32(00000010), ref: 000ACCE3
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000ACD0C
              • SendMessageW.USER32 ref: 000ACD33
              • SendMessageW.USER32(?,00001030,?,000AB348), ref: 000ACE37
              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 000ACE4D
              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 000ACE60
              • SetCapture.USER32(?), ref: 000ACE69
              • ClientToScreen.USER32(?,?), ref: 000ACECE
              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 000ACEDB
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000ACEF5
              • ReleaseCapture.USER32 ref: 000ACF00
              • GetCursorPos.USER32(?), ref: 000ACF3A
              • ScreenToClient.USER32(?,?), ref: 000ACF47
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 000ACFA3
              • SendMessageW.USER32 ref: 000ACFD1
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 000AD00E
              • SendMessageW.USER32 ref: 000AD03D
              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 000AD05E
              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 000AD06D
              • GetCursorPos.USER32(?), ref: 000AD08D
              • ScreenToClient.USER32(?,?), ref: 000AD09A
              • GetParent.USER32(?), ref: 000AD0BA
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 000AD123
              • SendMessageW.USER32 ref: 000AD154
              • ClientToScreen.USER32(?,?), ref: 000AD1B2
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 000AD1E2
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 000AD20C
              • SendMessageW.USER32 ref: 000AD22F
              • ClientToScreen.USER32(?,?), ref: 000AD281
              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 000AD2B5
                • Part of subcall function 000225DB: GetWindowLongW.USER32(?,000000EB), ref: 000225EC
              • GetWindowLongW.USER32(?,000000F0), ref: 000AD351
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
              • String ID: @GUI_DRAGID$F
              • API String ID: 3977979337-4164748364
              • Opcode ID: 732ccdee660e334b38ea8172987e54c17909a0a563711661f156c2604ad3ce81
              • Instruction ID: 74040f461b902da44d03178abf0ee309948603106f488c0a00594d23d4f30c95
              • Opcode Fuzzy Hash: 732ccdee660e334b38ea8172987e54c17909a0a563711661f156c2604ad3ce81
              • Instruction Fuzzy Hash: AB42D034204741AFEB24CFA4CC84EAABBE5FF4A710F140919F6959B2B1C732D950DBA1
              Function 00036F9E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _memmove$_memset
              • String ID: ]$DEFINE$P\$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
              • API String ID: 1357608183-996749009
              • Opcode ID: cc0e8de2158a51a486afd13419c603d26ff0e5c6da6c99ea160292857e035237
              • Instruction ID: cfb86fb897d894e84de1fc423e0d417777d11ef3526564023eda529472ea3a3e
              • Opcode Fuzzy Hash: cc0e8de2158a51a486afd13419c603d26ff0e5c6da6c99ea160292857e035237
              • Instruction Fuzzy Hash: 3693AE71E04219DBDB25CF98C881BADB7F1FF48310F24C16AE949AB281E7749E81DB54
              Function 000248D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(00000000,?), ref: 000248DF
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0005D665
              • IsIconic.USER32(?), ref: 0005D66E
              • ShowWindow.USER32(?,00000009), ref: 0005D67B
              • SetForegroundWindow.USER32(?), ref: 0005D685
              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0005D69B
              • GetCurrentThreadId.KERNEL32 ref: 0005D6A2
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0005D6AE
              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0005D6BF
              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0005D6C7
              • AttachThreadInput.USER32(00000000,?,00000001), ref: 0005D6CF
              • SetForegroundWindow.USER32(?), ref: 0005D6D2
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0005D6E7
              • keybd_event.USER32(00000012,00000000), ref: 0005D6F2
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0005D6FC
              • keybd_event.USER32(00000012,00000000), ref: 0005D701
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0005D70A
              • keybd_event.USER32(00000012,00000000), ref: 0005D70F
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0005D719
              • keybd_event.USER32(00000012,00000000), ref: 0005D71E
              • SetForegroundWindow.USER32(?), ref: 0005D721
              • AttachThreadInput.USER32(?,?,00000000), ref: 0005D748
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
              • String ID: Shell_TrayWnd
              • API String ID: 4125248594-2988720461
              • Opcode ID: 25aa4fdefb898f604385e069440127af1d4ad51655535f11caaebc18609881db
              • Instruction ID: ddd5faa74cb44a3ec6026352093ee898f6c9dd69dbf0dd1f69db9bd8e3b810a8
              • Opcode Fuzzy Hash: 25aa4fdefb898f604385e069440127af1d4ad51655535f11caaebc18609881db
              • Instruction Fuzzy Hash: A8319271A40718BBFB306FB19C49F7F3EACEB45B51F104026FA04EA1D1DAB45901ABA1
              Function 00078310 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 224COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0007882B
                • Part of subcall function 000787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00078858
                • Part of subcall function 000787E1: GetLastError.KERNEL32 ref: 00078865
              • _memset.LIBCMT ref: 00078353
              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 000783A5
              • CloseHandle.KERNEL32(?), ref: 000783B6
              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 000783CD
              • GetProcessWindowStation.USER32 ref: 000783E6
              • SetProcessWindowStation.USER32(00000000), ref: 000783F0
              • OpenDesktopW.USER32(default,00000000,00000000,|$$), ref: 0007840A
                • Part of subcall function 000781CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00078309), ref: 000781E0
                • Part of subcall function 000781CB: CloseHandle.KERNEL32(?,?,00078309), ref: 000781F2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
              • String ID: $default$winsta0$|$$
              • API String ID: 2063423040-991071530
              • Opcode ID: 2dcc637dfefdbe25c3bd36fea3f2f66ea53eebc44baa8482d4a09109760bebb0
              • Instruction ID: 31f6cbb507090bce1f1c7eb12cd46f1b9bb1cca7c6043a44bf4efe3234d96483
              • Opcode Fuzzy Hash: 2dcc637dfefdbe25c3bd36fea3f2f66ea53eebc44baa8482d4a09109760bebb0
              • Instruction Fuzzy Hash: 868189B1D40249AFDF519FA4CC49AFE7BB8EF04304F14C069F918A6261DB398E54DB28
              Function 0008C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 0008C78D
              • FindClose.KERNEL32(00000000), ref: 0008C7E1
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0008C806
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0008C81D
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0008C844
              • __swprintf.LIBCMT ref: 0008C890
              • __swprintf.LIBCMT ref: 0008C8D3
                • Part of subcall function 00027DE1: _memmove.LIBCMT ref: 00027E22
              • __swprintf.LIBCMT ref: 0008C927
                • Part of subcall function 00043698: __woutput_l.LIBCMT ref: 000436F1
              • __swprintf.LIBCMT ref: 0008C975
                • Part of subcall function 00043698: __flsbuf.LIBCMT ref: 00043713
                • Part of subcall function 00043698: __flsbuf.LIBCMT ref: 0004372B
              • __swprintf.LIBCMT ref: 0008C9C4
              • __swprintf.LIBCMT ref: 0008CA13
              • __swprintf.LIBCMT ref: 0008CA62
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
              • API String ID: 3953360268-2428617273
              • Opcode ID: 9137f8735b195e0feb17219d7da417a0015c7e7a746515b5b4b7d11bc04a42df
              • Instruction ID: 981af7e1e08881d5876a9fe9b4391289603c496a4bb1c1cb3625b8e88c6747aa
              • Opcode Fuzzy Hash: 9137f8735b195e0feb17219d7da417a0015c7e7a746515b5b4b7d11bc04a42df
              • Instruction Fuzzy Hash: 9DA14DB1408315ABD714EFA4D885EEFB7ECFF95704F40492AF58586192EB34DA08CB62
              Function 0008EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0008EFB6
              • _wcscmp.LIBCMT ref: 0008EFCB
              • _wcscmp.LIBCMT ref: 0008EFE2
              • GetFileAttributesW.KERNEL32(?), ref: 0008EFF4
              • SetFileAttributesW.KERNEL32(?,?), ref: 0008F00E
              • FindNextFileW.KERNEL32(00000000,?), ref: 0008F026
              • FindClose.KERNEL32(00000000), ref: 0008F031
              • FindFirstFileW.KERNEL32(*.*,?), ref: 0008F04D
              • _wcscmp.LIBCMT ref: 0008F074
              • _wcscmp.LIBCMT ref: 0008F08B
              • SetCurrentDirectoryW.KERNEL32(?), ref: 0008F09D
              • SetCurrentDirectoryW.KERNEL32(000D8920), ref: 0008F0BB
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0008F0C5
              • FindClose.KERNEL32(00000000), ref: 0008F0D2
              • FindClose.KERNEL32(00000000), ref: 0008F0E4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
              • String ID: *.*
              • API String ID: 1803514871-438819550
              • Opcode ID: 85dfd6bd1b9ab819e3203e35ca6c921971c329999d4621c2ec1b13120d2b4699
              • Instruction ID: 6b447c5f098ca86bf431172cffe8d848ecc35295950ab56ab3a5f36a69224eb8
              • Opcode Fuzzy Hash: 85dfd6bd1b9ab819e3203e35ca6c921971c329999d4621c2ec1b13120d2b4699
              • Instruction Fuzzy Hash: 2F31D43250060A6EDB14ABF4DC48BFEB7ECAF49360F144276E980D2192DB74DA80CF65
              Function 000A0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
              Download Yara Rule
              APIs
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000A0953
              • RegCreateKeyExW.ADVAPI32(?,?,00000000,000AF910,00000000,?,00000000,?,?), ref: 000A09C1
              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 000A0A09
              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 000A0A92
              • RegCloseKey.ADVAPI32(?), ref: 000A0DB2
              • RegCloseKey.ADVAPI32(00000000), ref: 000A0DBF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Close$ConnectCreateRegistryValue
              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
              • API String ID: 536824911-966354055
              • Opcode ID: d04d140f22bdc47c7cee4b70cdf0cca5ec8e6304cc91de0b5f67c9924ca9cdec
              • Instruction ID: 7f10709c8f388a65abd7a3a4d18fa64fcb37e1f79336d9b70ee8b6ed9d532ecc
              • Opcode Fuzzy Hash: d04d140f22bdc47c7cee4b70cdf0cca5ec8e6304cc91de0b5f67c9924ca9cdec
              • Instruction Fuzzy Hash: A0028D756006119FCB54EF64D845E6AB7E5FF8A720F04896DF88A9B362CB30EC41CB85
              Function 0008F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0008F113
              • _wcscmp.LIBCMT ref: 0008F128
              • _wcscmp.LIBCMT ref: 0008F13F
                • Part of subcall function 00084385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 000843A0
              • FindNextFileW.KERNEL32(00000000,?), ref: 0008F16E
              • FindClose.KERNEL32(00000000), ref: 0008F179
              • FindFirstFileW.KERNEL32(*.*,?), ref: 0008F195
              • _wcscmp.LIBCMT ref: 0008F1BC
              • _wcscmp.LIBCMT ref: 0008F1D3
              • SetCurrentDirectoryW.KERNEL32(?), ref: 0008F1E5
              • SetCurrentDirectoryW.KERNEL32(000D8920), ref: 0008F203
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0008F20D
              • FindClose.KERNEL32(00000000), ref: 0008F21A
              • FindClose.KERNEL32(00000000), ref: 0008F22C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
              • String ID: *.*
              • API String ID: 1824444939-438819550
              • Opcode ID: 9b5214b63809ee3a8b3c6fe59d650b6115ea465c58b41c96efc7e811941cf37a
              • Instruction ID: 91ef943dda770ac0b7b6e6d448c261dacb9130e236d70d9550d4a46159d8a650
              • Opcode Fuzzy Hash: 9b5214b63809ee3a8b3c6fe59d650b6115ea465c58b41c96efc7e811941cf37a
              • Instruction Fuzzy Hash: DD31C63650061B6ADF20ABB4EC59BFEB7ACAF45360F140171E980E2191DB34DE85CB68
              Function 0008A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
              Download Yara Rule
              APIs
              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0008A20F
              • __swprintf.LIBCMT ref: 0008A231
              • CreateDirectoryW.KERNEL32(?,00000000), ref: 0008A26E
              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0008A293
              • _memset.LIBCMT ref: 0008A2B2
              • _wcsncpy.LIBCMT ref: 0008A2EE
              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0008A323
              • CloseHandle.KERNEL32(00000000), ref: 0008A32E
              • RemoveDirectoryW.KERNEL32(?), ref: 0008A337
              • CloseHandle.KERNEL32(00000000), ref: 0008A341
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
              • String ID: :$\$\??\%s
              • API String ID: 2733774712-3457252023
              • Opcode ID: 5e98dee262534ea1954c6d94bda606fc4dd107c07de24d217cb27067ce6ccb03
              • Instruction ID: 4a38e7647a13e92ef9111c6c1acfb70020fdacb6c4d7b2b938bba34877b98c45
              • Opcode Fuzzy Hash: 5e98dee262534ea1954c6d94bda606fc4dd107c07de24d217cb27067ce6ccb03
              • Instruction Fuzzy Hash: 693180B2A0010AABEB219FA0DC49FEB37BCFF8A740F1041B6F548D6161E77497448B25
              Function 00077CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00078202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0007821E
                • Part of subcall function 00078202: GetLastError.KERNEL32(?,00077CE2,?,?,?), ref: 00078228
                • Part of subcall function 00078202: GetProcessHeap.KERNEL32(00000008,?,?,00077CE2,?,?,?), ref: 00078237
                • Part of subcall function 00078202: HeapAlloc.KERNEL32(00000000,?,00077CE2,?,?,?), ref: 0007823E
                • Part of subcall function 00078202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00078255
                • Part of subcall function 0007829F: GetProcessHeap.KERNEL32(00000008,00077CF8,00000000,00000000,?,00077CF8,?), ref: 000782AB
                • Part of subcall function 0007829F: HeapAlloc.KERNEL32(00000000,?,00077CF8,?), ref: 000782B2
                • Part of subcall function 0007829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00077CF8,?), ref: 000782C3
              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00077D13
              • _memset.LIBCMT ref: 00077D28
              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00077D47
              • GetLengthSid.ADVAPI32(?), ref: 00077D58
              • GetAce.ADVAPI32(?,00000000,?), ref: 00077D95
              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00077DB1
              • GetLengthSid.ADVAPI32(?), ref: 00077DCE
              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00077DDD
              • HeapAlloc.KERNEL32(00000000), ref: 00077DE4
              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00077E05
              • CopySid.ADVAPI32(00000000), ref: 00077E0C
              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00077E3D
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00077E63
              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00077E77
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
              • String ID:
              • API String ID: 3996160137-0
              • Opcode ID: 8076a299490017258e9dc849de0897ee0084a83123bafd44f96c9ad3a8091db2
              • Instruction ID: c8b8b0d8a1356fcd9c69e89598e76b89f6616e033de2ee2e3dfd72f445da1deb
              • Opcode Fuzzy Hash: 8076a299490017258e9dc849de0897ee0084a83123bafd44f96c9ad3a8091db2
              • Instruction Fuzzy Hash: D4613A71D0450AAFDF10DFA4DC44EEEBBB9FF09340F048169E919A7291DB399A05CB64
              Function 000366E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID:
              • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
              • API String ID: 0-4052911093
              • Opcode ID: e946cca210fc94b79266a9df62057804ca3bcc8f5485f4f0ce336f0d6857ede9
              • Instruction ID: 09f6bf7277f4c21d09d45c0b3d557d73a5c63daa99b815a8e3a5564c0c1569ad
              • Opcode Fuzzy Hash: e946cca210fc94b79266a9df62057804ca3bcc8f5485f4f0ce336f0d6857ede9
              • Instruction Fuzzy Hash: 7B725D75E00619DBDB25CF58C8807EEB7F9BF48310F14C16AE809EB291DB759A81CB94
              Function 0008001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 00080097
              • SetKeyboardState.USER32(?), ref: 00080102
              • GetAsyncKeyState.USER32(000000A0), ref: 00080122
              • GetKeyState.USER32(000000A0), ref: 00080139
              • GetAsyncKeyState.USER32(000000A1), ref: 00080168
              • GetKeyState.USER32(000000A1), ref: 00080179
              • GetAsyncKeyState.USER32(00000011), ref: 000801A5
              • GetKeyState.USER32(00000011), ref: 000801B3
              • GetAsyncKeyState.USER32(00000012), ref: 000801DC
              • GetKeyState.USER32(00000012), ref: 000801EA
              • GetAsyncKeyState.USER32(0000005B), ref: 00080213
              • GetKeyState.USER32(0000005B), ref: 00080221
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: 26efe4285debbdf49ef9ee242acd2dd64c11e45062a781a55cd1aef6d355aaec
              • Instruction ID: 63fb10b27121bdfa03c011c14249cec391afa417dba4f6125806bfd2e0fdff48
              • Opcode Fuzzy Hash: 26efe4285debbdf49ef9ee242acd2dd64c11e45062a781a55cd1aef6d355aaec
              • Instruction Fuzzy Hash: 64519A309047882DFFB5FBB088557EABFF4AF11380F08459995C6565C3DAA49B8CCB61
              Function 000A03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0009FDAD,?,?), ref: 000A0E31
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000A04AC
                • Part of subcall function 00029837: __itow.LIBCMT ref: 00029862
                • Part of subcall function 00029837: __swprintf.LIBCMT ref: 000298AC
              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 000A054B
              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 000A05E3
              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 000A0822
              • RegCloseKey.ADVAPI32(00000000), ref: 000A082F
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
              • String ID:
              • API String ID: 1240663315-0
              • Opcode ID: 281afea1244d516619bf36be0d13a552a0e5fcb036187bced220044f976c7d23
              • Instruction ID: c576fb8d698d18157b8745cd0e492da82905c0cab1e726ae9aad74600c80653f
              • Opcode Fuzzy Hash: 281afea1244d516619bf36be0d13a552a0e5fcb036187bced220044f976c7d23
              • Instruction Fuzzy Hash: 8CE17F71604215AFCB14DF64C895D6EBBE4FF8A714F04896DF44ADB262DA30ED01CB91
              Function 00094164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
              • String ID:
              • API String ID: 1737998785-0
              • Opcode ID: baa1c140bd65918c65852418962cecf3b364c8a43d24077d825d9c9a845fd748
              • Instruction ID: b8e1e2ab90f68ae002730d7d1579edb3afdc9f50ff2c4647a0fb38410a6199ed
              • Opcode Fuzzy Hash: baa1c140bd65918c65852418962cecf3b364c8a43d24077d825d9c9a845fd748
              • Instruction Fuzzy Hash: CA219135600A119FEB14AF64EC59F7D7BA8FF05711F14802AF9469B2B2DB38AC01DB54
              Function 000837EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00024750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00024743,?,?,000237AE,?), ref: 00024770
                • Part of subcall function 00084A31: GetFileAttributesW.KERNEL32(?,0008370B), ref: 00084A32
              • FindFirstFileW.KERNEL32(?,?), ref: 000838A3
              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0008394B
              • MoveFileW.KERNEL32(?,?), ref: 0008395E
              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0008397B
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0008399D
              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 000839B9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
              • String ID: \*.*
              • API String ID: 4002782344-1173974218
              • Opcode ID: 59492307cbdb444a5c8124b904bfafec5323d9fcfb56f166cda5b73eaf44811d
              • Instruction ID: 2b19afccc00220d7617ffb42162cb44e8d0f455e98dff7a859f648cbfebbf1be
              • Opcode Fuzzy Hash: 59492307cbdb444a5c8124b904bfafec5323d9fcfb56f166cda5b73eaf44811d
              • Instruction Fuzzy Hash: 9A51AF3180515DAACF15FFA0E9929FDB7B8AF51300F600069E486B7192EF316F09CB61
              Function 0008F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00027DE1: _memmove.LIBCMT ref: 00027E22
              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0008F440
              • Sleep.KERNEL32(0000000A), ref: 0008F470
              • _wcscmp.LIBCMT ref: 0008F484
              • _wcscmp.LIBCMT ref: 0008F49F
              • FindNextFileW.KERNEL32(?,?), ref: 0008F53D
              • FindClose.KERNEL32(00000000), ref: 0008F553
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
              • String ID: *.*
              • API String ID: 713712311-438819550
              • Opcode ID: d65c3a8b889968edca4be7a7f09dede63570b236ab15e464776851c23780ba92
              • Instruction ID: 0bb525a43c24fa05ff5704dc2c3cdc399f4fd029a06af825bd28214b63c499bf
              • Opcode Fuzzy Hash: d65c3a8b889968edca4be7a7f09dede63570b236ab15e464776851c23780ba92
              • Instruction Fuzzy Hash: 77417C7190021AAFCF54EFB4DC45AFEBBB4FF05310F14456AE959A6291DB309A84CBA0
              Function 00035760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 9197a565f7a77ba9c130f7ba7ef14f25c75ba16b1c099891d38451b8c3b24a18
              • Instruction ID: 0f5bf13ac72f0a103cf6fc437edd6d0b74490f5fb6ea8fe3f2cb2d7566b9ab3c
              • Opcode Fuzzy Hash: 9197a565f7a77ba9c130f7ba7ef14f25c75ba16b1c099891d38451b8c3b24a18
              • Instruction Fuzzy Hash: D012AE70E00609DFDF14DFA5D985AEEB3F9FF48301F108629E809A7261EB39A910CB55
              Function 00083B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00024750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00024743,?,?,000237AE,?), ref: 00024770
                • Part of subcall function 00084A31: GetFileAttributesW.KERNEL32(?,0008370B), ref: 00084A32
              • FindFirstFileW.KERNEL32(?,?), ref: 00083B89
              • DeleteFileW.KERNEL32(?,?,?,?), ref: 00083BD9
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00083BEA
              • FindClose.KERNEL32(00000000), ref: 00083C01
              • FindClose.KERNEL32(00000000), ref: 00083C0A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
              • String ID: \*.*
              • API String ID: 2649000838-1173974218
              • Opcode ID: 2273428099786400907ca1d7aaff1328f9ccc8bef102b9cbeea3bbc69b30598f
              • Instruction ID: 6b1cca3327b6a0ae0ee662a7108395c3e952a73cc545e0ea125669f6efc117b3
              • Opcode Fuzzy Hash: 2273428099786400907ca1d7aaff1328f9ccc8bef102b9cbeea3bbc69b30598f
              • Instruction Fuzzy Hash: 21316D310087959BC305FF64D8959EFB7E8BF92314F404E2DF4D592192EB259A08C767
              Function 000851BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0007882B
                • Part of subcall function 000787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00078858
                • Part of subcall function 000787E1: GetLastError.KERNEL32 ref: 00078865
              • ExitWindowsEx.USER32(?,00000000), ref: 000851F9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
              • String ID: $@$SeShutdownPrivilege
              • API String ID: 2234035333-194228
              • Opcode ID: 734ad4b05e36cf20aa57f1c64a10b32c81c4ad4a8254f181d179a876b8b67acf
              • Instruction ID: c12fcd93cdeefa091d890c6425ce721144e266ae14c2c3d5d8e69ee198692167
              • Opcode Fuzzy Hash: 734ad4b05e36cf20aa57f1c64a10b32c81c4ad4a8254f181d179a876b8b67acf
              • Instruction Fuzzy Hash: 6A01F731A95A126BFB7872689C8AFFA7298BB07742F204421F9D7E21D2DD555C0087A0
              Function 00096283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
              Download Yara Rule
              APIs
              • socket.WSOCK32(00000002,00000001,00000006), ref: 000962DC
              • WSAGetLastError.WSOCK32(00000000), ref: 000962EB
              • bind.WSOCK32(00000000,?,00000010), ref: 00096307
              • listen.WSOCK32(00000000,00000005), ref: 00096316
              • WSAGetLastError.WSOCK32(00000000), ref: 00096330
              • closesocket.WSOCK32(00000000), ref: 00096344
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ErrorLast$bindclosesocketlistensocket
              • String ID:
              • API String ID: 1279440585-0
              • Opcode ID: 1b63259f8bfb6835895d76949502226d9d2c9058d8aae263f294eb605dfd9ff5
              • Instruction ID: f2d473e2b36b7543e79bcfa7639eeee186d3670adb37824f4d125c79c52d0ece
              • Opcode Fuzzy Hash: 1b63259f8bfb6835895d76949502226d9d2c9058d8aae263f294eb605dfd9ff5
              • Instruction Fuzzy Hash: 3821FD31600610AFDF10EFA4D885ABEB7E8EF49720F148169F816A73A2CB34AD01DB51
              Function 00035520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00040DB6: std::exception::exception.LIBCMT ref: 00040DEC
                • Part of subcall function 00040DB6: __CxxThrowException@8.LIBCMT ref: 00040E01
              • _memmove.LIBCMT ref: 00070258
              • _memmove.LIBCMT ref: 0007036D
              • _memmove.LIBCMT ref: 00070414
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _memmove$Exception@8Throwstd::exception::exception
              • String ID:
              • API String ID: 1300846289-0
              • Opcode ID: 5415e5c7726e92df52070aaeb0d7c2ae49958fa315875d9c83751d881a09523f
              • Instruction ID: 45cfb8992f06cf39b49a7f1a236c4f9e03e86705811e91d4c6f8c406ea4977db
              • Opcode Fuzzy Hash: 5415e5c7726e92df52070aaeb0d7c2ae49958fa315875d9c83751d881a09523f
              • Instruction Fuzzy Hash: 6302B2B0E00209DBDF05DF64D981AAE7BF9EF44300F54C069E80AEB256EB35DA54CB95
              Function 00021287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00022612: GetWindowLongW.USER32(?,000000EB), ref: 00022623
              • DefDlgProcW.USER32(?,?,?,?,?), ref: 000219FA
              • GetSysColor.USER32(0000000F), ref: 00021A4E
              • SetBkColor.GDI32(?,00000000), ref: 00021A61
                • Part of subcall function 00021290: DefDlgProcW.USER32(?,00000020,?), ref: 000212D8
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ColorProc$LongWindow
              • String ID:
              • API String ID: 3744519093-0
              • Opcode ID: 46da2e4ff7efc377923764bcb1ebb98a48f9a680ccce9558bfda483595340995
              • Instruction ID: 7257df4e0494f3c8db72ae3075617e49358dca5c5ebfe7ec00a86ea8a8d871a5
              • Opcode Fuzzy Hash: 46da2e4ff7efc377923764bcb1ebb98a48f9a680ccce9558bfda483595340995
              • Instruction Fuzzy Hash: 57A17A711069A4BEE678AB28BC49EFF35DCDF66346B14011AF902D5193CF26AD01D2B3
              Function 0008BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 0008BCE6
              • _wcscmp.LIBCMT ref: 0008BD16
              • _wcscmp.LIBCMT ref: 0008BD2B
              • FindNextFileW.KERNEL32(00000000,?), ref: 0008BD3C
              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0008BD6C
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Find$File_wcscmp$CloseFirstNext
              • String ID:
              • API String ID: 2387731787-0
              • Opcode ID: 2fbffd4b4bce80703c06b66b0beff68a3751e81213f9a190af195bd254c6d372
              • Instruction ID: c99c601d5a7d00e22320d9827eefeefc6d22b4ebc39321b03c9231c0880ada1c
              • Opcode Fuzzy Hash: 2fbffd4b4bce80703c06b66b0beff68a3751e81213f9a190af195bd254c6d372
              • Instruction Fuzzy Hash: 9F518075604702AFD714EF68D490EAAB7E4FF49320F14461DE996873A2DB30ED04CB91
              Function 00096747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00097D8B: inet_addr.WSOCK32(00000000), ref: 00097DB6
              • socket.WSOCK32(00000002,00000002,00000011), ref: 0009679E
              • WSAGetLastError.WSOCK32(00000000), ref: 000967C7
              • bind.WSOCK32(00000000,?,00000010), ref: 00096800
              • WSAGetLastError.WSOCK32(00000000), ref: 0009680D
              • closesocket.WSOCK32(00000000), ref: 00096821
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ErrorLast$bindclosesocketinet_addrsocket
              • String ID:
              • API String ID: 99427753-0
              • Opcode ID: d023fa1ecd2293157047bf9ec72d4ec7bcc48c1409567f427c2293b000a96079
              • Instruction ID: 94628961fd1c47382d30c9c30a21fb341ca0def16d1c90b85ba0b4c207935507
              • Opcode Fuzzy Hash: d023fa1ecd2293157047bf9ec72d4ec7bcc48c1409567f427c2293b000a96079
              • Instruction Fuzzy Hash: 6141D375A00620AFEB10AF649C86FBE77E8EF05714F448458F91AAB3C3CE749D008791
              Function 000A5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Window$EnabledForegroundIconicVisibleZoomed
              • String ID:
              • API String ID: 292994002-0
              • Opcode ID: dc32d44c89b09743c67a4f643018e4e34b6bfdbae32d38db8ba5e1921d4f45a4
              • Instruction ID: 2b501e8f756719b1b21da0836ba5dfbf399276524868250c342b2f569149047c
              • Opcode Fuzzy Hash: dc32d44c89b09743c67a4f643018e4e34b6bfdbae32d38db8ba5e1921d4f45a4
              • Instruction Fuzzy Hash: FD11E732700D226FEB215FA6DC44A6E7BD8FF867A2B444439F946D7242CB74DD01C6A4
              Function 000780A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000780C0
              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000780CA
              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000780D9
              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000780E0
              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000780F6
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: ebbf5fa743ef212972cde5b95ecd14def45c38778a82ea125df61f5134e344e5
              • Instruction ID: fb8e7c6b0ec783d0d6567596a800b011d01160572130fc20de34e6582858d3a0
              • Opcode Fuzzy Hash: ebbf5fa743ef212972cde5b95ecd14def45c38778a82ea125df61f5134e344e5
              • Instruction Fuzzy Hash: 19F06231240605AFEB501FA5EC8DE773BACEF4A755B408025F949C6150CB699D41DB60
              Function 0008C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 0008C432
              • CoCreateInstance.OLE32(000B2D6C,00000000,00000001,000B2BDC,?), ref: 0008C44A
                • Part of subcall function 00027DE1: _memmove.LIBCMT ref: 00027E22
              • CoUninitialize.OLE32 ref: 0008C6B7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CreateInitializeInstanceUninitialize_memmove
              • String ID: .lnk
              • API String ID: 2683427295-24824748
              • Opcode ID: b6152db4b2b1317d92b9cab5610d21835b98e0bdcda0dbdf77dafe275001e754
              • Instruction ID: 4813ded817d9df2a28d1e712052eaf1dedc4b70880f17200b6a6dad56a2ecf32
              • Opcode Fuzzy Hash: b6152db4b2b1317d92b9cab5610d21835b98e0bdcda0dbdf77dafe275001e754
              • Instruction Fuzzy Hash: 1DA15B71104205AFD700EF54D881EAFB7E8FF85354F00492DF5999B1A2EB71EA49CB62
              Function 00024B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00024AD0), ref: 00024B45
              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00024B57
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetNativeSystemInfo$kernel32.dll
              • API String ID: 2574300362-192647395
              • Opcode ID: 2d25f4033b67f2bf4f6a7e3d7151395e1260d083ec9849dfd4be177f45935d7e
              • Instruction ID: f1e44243d92c61d453254cbce1811e52396188dd9bff2acf978cd924e85a4689
              • Opcode Fuzzy Hash: 2d25f4033b67f2bf4f6a7e3d7151395e1260d083ec9849dfd4be177f45935d7e
              • Instruction Fuzzy Hash: 1AD05B34A10723CFD7209FF1EC68B5676E8AF06391B11C83DD4C6D6150D774D480CA64
              Function 00033030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: __itow__swprintf
              • String ID:
              • API String ID: 674341424-0
              • Opcode ID: f7bca6cc822aea394ff3ff763e5ec5bd5e38e28ff4f2bb8bd300aba2cd1ea2b3
              • Instruction ID: 0fc57bfcd17915c431767d08657c67710728c43bb348b948d02edd3fa3353b2e
              • Opcode Fuzzy Hash: f7bca6cc822aea394ff3ff763e5ec5bd5e38e28ff4f2bb8bd300aba2cd1ea2b3
              • Instruction Fuzzy Hash: F022B0716083119FC725DF14D891BAFB7E9BF84310F04492DF89A97292DB71EA44CB92
              Function 0009EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32 ref: 0009EE3D
              • Process32FirstW.KERNEL32(00000000,?), ref: 0009EE4B
                • Part of subcall function 00027DE1: _memmove.LIBCMT ref: 00027E22
              • Process32NextW.KERNEL32(00000000,?), ref: 0009EF0B
              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0009EF1A
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
              • String ID:
              • API String ID: 2576544623-0
              • Opcode ID: 38ac6aa12d8dfbfd22ec04e543b8a5c8974a0cb99283e7a6278a86a01f32c9c8
              • Instruction ID: 5a0a325e167e148fa2c5bae93b4963132e522d739f40e8250fc508ce74b90f27
              • Opcode Fuzzy Hash: 38ac6aa12d8dfbfd22ec04e543b8a5c8974a0cb99283e7a6278a86a01f32c9c8
              • Instruction Fuzzy Hash: 2D518E71504711AFD710EF20DC85EABB7E8EF94710F50482DF995972A2EB70A908CB92
              Function 0007E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0007E628
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: lstrlen
              • String ID: ($|
              • API String ID: 1659193697-1631851259
              • Opcode ID: 2e777fa723bd961ea892c3608ab21fc73c991fec2274c22e1448d27956a1d17a
              • Instruction ID: 9f7dfd64103e9a545fa1cb2a7257e138d48870fb22b838c8546882ce73c1bc74
              • Opcode Fuzzy Hash: 2e777fa723bd961ea892c3608ab21fc73c991fec2274c22e1448d27956a1d17a
              • Instruction Fuzzy Hash: 5B323675A017059FD728CF29C4819AAB7F0FF48310B15C4AEE99ADB3A2E774E941CB44
              Function 000922EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
              Download Yara Rule
              APIs
              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0009180A,00000000), ref: 000923E1
              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00092418
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Internet$AvailableDataFileQueryRead
              • String ID:
              • API String ID: 599397726-0
              • Opcode ID: bfd52cec6d09d58ce48af7f83ffdd428e36cc6c4d0ac02332ad385af8fd0004c
              • Instruction ID: 4cb787090e03446dc1e8eda3981dd5b7867c432be074384d81a11863bbd2abae
              • Opcode Fuzzy Hash: bfd52cec6d09d58ce48af7f83ffdd428e36cc6c4d0ac02332ad385af8fd0004c
              • Instruction Fuzzy Hash: FE41C3B1904209BFEF20DE95DC85FBFB7FCEB40314F10806AF641A6141EA759E41AA64
              Function 0008B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 0008B343
              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0008B39D
              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0008B3EA
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ErrorMode$DiskFreeSpace
              • String ID:
              • API String ID: 1682464887-0
              • Opcode ID: 544ba3ee2376b8146dd37750b2975d72fff700d5cf24d1a5ed6058d20bdca242
              • Instruction ID: 18bcef262a60bc38f6900bef8e5754e6812a200e972573a736ad2718f41a8e32
              • Opcode Fuzzy Hash: 544ba3ee2376b8146dd37750b2975d72fff700d5cf24d1a5ed6058d20bdca242
              • Instruction Fuzzy Hash: 45217135A00518EFDB00EFA5D881AEEBBB8FF49310F1480AAE945AB352CB319915CB54
              Function 000787E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00040DB6: std::exception::exception.LIBCMT ref: 00040DEC
                • Part of subcall function 00040DB6: __CxxThrowException@8.LIBCMT ref: 00040E01
              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0007882B
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00078858
              • GetLastError.KERNEL32 ref: 00078865
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
              • String ID:
              • API String ID: 1922334811-0
              • Opcode ID: 702824f70ad1283db826af6e32c5b6d0418871368e3193af5e45518c2330984b
              • Instruction ID: 4ffa9e954f185ea6df1e2d6d7f423ca83e1d27690a9c76c452009ebc804706c9
              • Opcode Fuzzy Hash: 702824f70ad1283db826af6e32c5b6d0418871368e3193af5e45518c2330984b
              • Instruction Fuzzy Hash: DB116DB2814205AFE718DFA4DC89D6BB7F8EB45711B20C52EE45997241EE34BC418B64
              Function 0007874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
              Download Yara Rule
              APIs
              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00078774
              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0007878B
              • FreeSid.ADVAPI32(?), ref: 0007879B
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: AllocateCheckFreeInitializeMembershipToken
              • String ID:
              • API String ID: 3429775523-0
              • Opcode ID: a0722ab54917a20cfa07e1e4a95b63b5e5a3cec17763dd8736f468535abd2f0b
              • Instruction ID: 9f8489539195e361902b4359a18f9474371fa2cbdaba843524bc1ce7e223cf93
              • Opcode Fuzzy Hash: a0722ab54917a20cfa07e1e4a95b63b5e5a3cec17763dd8736f468535abd2f0b
              • Instruction Fuzzy Hash: 39F04F7595130DBFEF04DFF4DC89EBEB7BCEF08201F108469A501E2181E6755A048B50
              Function 0008C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 0008C6FB
              • FindClose.KERNEL32(00000000), ref: 0008C72B
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Find$CloseFileFirst
              • String ID:
              • API String ID: 2295610775-0
              • Opcode ID: 09a3dc45af40b52c50e864a34dbaed48402ab4aa778e00776fa1df0003a9fb73
              • Instruction ID: 8d46a50f478b06352c1e3060a51ae67dbf547b0043af3fa86c788a36397e17d3
              • Opcode Fuzzy Hash: 09a3dc45af40b52c50e864a34dbaed48402ab4aa778e00776fa1df0003a9fb73
              • Instruction Fuzzy Hash: 0111A1726006009FDB10EF29D845A6AF7E8FF85320F04851EF8AAC7291DB34AC01CF91
              Function 0008A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00099468,?,000AFB84,?), ref: 0008A097
              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00099468,?,000AFB84,?), ref: 0008A0A9
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ErrorFormatLastMessage
              • String ID:
              • API String ID: 3479602957-0
              • Opcode ID: 07fdd7d8e70c7c45b8a1d0a5916707c862edc4d807d5f8a603d026bfb5d9b454
              • Instruction ID: 6d126f20de8c79d5b29a952e0d844d30e19687b55f4e1b1b388b38835b7dbde5
              • Opcode Fuzzy Hash: 07fdd7d8e70c7c45b8a1d0a5916707c862edc4d807d5f8a603d026bfb5d9b454
              • Instruction Fuzzy Hash: 37F0823520522DABEB21AFA4DC48FEA776CBF09362F004166F949D6181D670AA44CBA1
              Function 000781CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00078309), ref: 000781E0
              • CloseHandle.KERNEL32(?,?,00078309), ref: 000781F2
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: AdjustCloseHandlePrivilegesToken
              • String ID:
              • API String ID: 81990902-0
              • Opcode ID: 91407338473dbf5121d94b01437185d9c96b7079287df148f0e563249656378b
              • Instruction ID: c69286e69e2d681445ed975dd6596a7de2018d9679685b7415cd666ce47bdb68
              • Opcode Fuzzy Hash: 91407338473dbf5121d94b01437185d9c96b7079287df148f0e563249656378b
              • Instruction Fuzzy Hash: 6FE04672010A11AEEB212B62EC08DB37BEEEB00310710886DB9A684431CB32ACA0DB14
              Function 0004A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00048D57,?,?,?,00000001), ref: 0004A15A
              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0004A163
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: b0dc7734f3bc00b3aad154c24d373d23a4fcfde39065b05d78ea1b097cc91fd5
              • Instruction ID: 8eb26ffcfb958aed445ca6e6b707e421638f24306f76202c051f4e7373a61562
              • Opcode Fuzzy Hash: b0dc7734f3bc00b3aad154c24d373d23a4fcfde39065b05d78ea1b097cc91fd5
              • Instruction Fuzzy Hash: 54B0923205460AABEF002BD1EC59BA83F68EB46AA2F404020F60D84060CBE656508A91
              Function 0004F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b1a05da662e97d70db29166ec363e4228a43aeb62d956b8b368dea606a04f578
              • Instruction ID: 01ea0fedd0cfaeedf961bd634df591a2abc52be7d5624a2dcdb37981ed946b60
              • Opcode Fuzzy Hash: b1a05da662e97d70db29166ec363e4228a43aeb62d956b8b368dea606a04f578
              • Instruction Fuzzy Hash: 31320461D29F424DEB639634D872336A289AFB73C4F15D737F819B5EA6EB28C4834104
              Function 0005242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 26e56efa24915c3821e3d2c1245e37eb3c34e25c70ef4d231ea3487f2f1bcb40
              • Instruction ID: f1676304189c4d4ffd329f06d3a39688667adc762eafa6c1c237cb3d1ebb861c
              • Opcode Fuzzy Hash: 26e56efa24915c3821e3d2c1245e37eb3c34e25c70ef4d231ea3487f2f1bcb40
              • Instruction Fuzzy Hash: 23B10120E2AF404DE72396398835336BB9CAFBB6C5F51D71BFC2670D22EB2585834241
              Function 00088889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • __time64.LIBCMT ref: 0008889B
                • Part of subcall function 0004520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00088F6E,00000000,?,?,?,?,0008911F,00000000,?), ref: 00045213
                • Part of subcall function 0004520A: __aulldiv.LIBCMT ref: 00045233
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Time$FileSystem__aulldiv__time64
              • String ID:
              • API String ID: 2893107130-0
              • Opcode ID: e96ae21db6c61fdc1e418b00b128361391c549515c1bba084c2796a15777c3f9
              • Instruction ID: 4fddf80a56eb0f01d31c22f230af6670bf4b60c98f8bb59ea9d2a9d7366edfef
              • Opcode Fuzzy Hash: e96ae21db6c61fdc1e418b00b128361391c549515c1bba084c2796a15777c3f9
              • Instruction Fuzzy Hash: A921D232625610CBD329CF25E881A52B3E1EBA5321F688E6CD1F5CF2C0CE35A905CB54
              Function 00084C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00084C4A
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: mouse_event
              • String ID:
              • API String ID: 2434400541-0
              • Opcode ID: 2edc7e4f81800860bcb5ca32736621800ead05256b0c74721138c06a91f173f2
              • Instruction ID: 14a3e456007c6541facacc7db52fef66f18e14680d8467cc464fc6fd5fbad5b2
              • Opcode Fuzzy Hash: 2edc7e4f81800860bcb5ca32736621800ead05256b0c74721138c06a91f173f2
              • Instruction Fuzzy Hash: 37D05EA116560B78FCEC2B209E2FF7A018CF300782FD0814972818A1C2EDC45C405334
              Function 000787B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00078389), ref: 000787D1
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: LogonUser
              • String ID:
              • API String ID: 1244722697-0
              • Opcode ID: 3a5463da9a0227678c840ae311c0b8bf845fe028d2e3d3f80935487788226c36
              • Instruction ID: e18e4c36d1f743d5186b0e1ead8d6fbbdcb94de6c1fe4f1fdd30bb5488b639af
              • Opcode Fuzzy Hash: 3a5463da9a0227678c840ae311c0b8bf845fe028d2e3d3f80935487788226c36
              • Instruction Fuzzy Hash: 49D05E322A090EABEF018EA4DC01EBE3B69EB04B01F408111FE15C50A1C775D835AF60
              Function 0004A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0004A12A
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 0bb39d376d1f8ef43fcbe03ac48761fadad4f7302f9007889786d5d61363de59
              • Instruction ID: 1b875fd39ac93c63c5ac2bdcce6490b8030891be5f9fdd52e8e2afb2f633c5fe
              • Opcode Fuzzy Hash: 0bb39d376d1f8ef43fcbe03ac48761fadad4f7302f9007889786d5d61363de59
              • Instruction Fuzzy Hash: 38A0123100010DA78F001B81EC044547F5CD7011907004020F40C4002187B255104580
              Function 00038808 Relevance: .6, Instructions: 590COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a6b34bc305015a33658becb955f63181b1a05b5d4a3799b99dddcf22289dede9
              • Instruction ID: 6622831e838c258a027f79fe7966f4a067c01a989f8d1c2df9c62208af205bf6
              • Opcode Fuzzy Hash: a6b34bc305015a33658becb955f63181b1a05b5d4a3799b99dddcf22289dede9
              • Instruction Fuzzy Hash: CF223930904746CBEF7A8A14C8947BC77E5FB01306F68C0ABF94A87592DBB89D91C752
              Function 000421C5 Relevance: .3, Instructions: 345COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction ID: 31731cf5088b15e9cd8d5235bb272289114cff16f718bffb33ab6f4ed098309c
              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction Fuzzy Hash: 34C1A4B23050930ADFAD5639843417EFAE15FA27B135A077DE8B3CB1D4EE20C965D624
              Function 000425FA Relevance: .3, Instructions: 341COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction ID: 07e33ba54b9681f26f16c620e1d64c922567508e87176c0cc926d571efba5136
              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction Fuzzy Hash: 98C1A2B23091930ADFAD563AC43407EBAE15FA27F135A077DE4B2DB1D4EE20C964D624
              Function 00041978 Relevance: .3, Instructions: 323COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction ID: 71c26b18795e866f1011ed9a877f1e2ee64c73c099ebf12f2913a84a50c2d904
              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction Fuzzy Hash: E6C1A1F220519309DFAD5639C4741BEBBE19FA27B131A077DD4B2CB1C4EE20C9A5C664
              Function 00097806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(00000000), ref: 0009785B
              • DeleteObject.GDI32(00000000), ref: 0009786D
              • DestroyWindow.USER32 ref: 0009787B
              • GetDesktopWindow.USER32 ref: 00097895
              • GetWindowRect.USER32(00000000), ref: 0009789C
              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 000979DD
              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 000979ED
              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00097A35
              • GetClientRect.USER32(00000000,?), ref: 00097A41
              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00097A7B
              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00097A9D
              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00097AB0
              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00097ABB
              • GlobalLock.KERNEL32(00000000), ref: 00097AC4
              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00097AD3
              • GlobalUnlock.KERNEL32(00000000), ref: 00097ADC
              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00097AE3
              • GlobalFree.KERNEL32(00000000), ref: 00097AEE
              • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00097B00
              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,000B2CAC,00000000), ref: 00097B16
              • GlobalFree.KERNEL32(00000000), ref: 00097B26
              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00097B4C
              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00097B6B
              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00097B8D
              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00097D7A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
              • String ID: $AutoIt v3$DISPLAY$static
              • API String ID: 2211948467-2373415609
              • Opcode ID: 9c0a7dac47a76183abb217b04cdf8ece6f411cc9328d8468d86b3622379f91e9
              • Instruction ID: 9d41d4c2edd230787d92cd7734bd6c53c032a01327fb736fca6f7f2678fbf047
              • Opcode Fuzzy Hash: 9c0a7dac47a76183abb217b04cdf8ece6f411cc9328d8468d86b3622379f91e9
              • Instruction Fuzzy Hash: 15028A72910515EFEF14DFA4DD89EAE7BB9EF49310F048158F909AB2A1CB34AD01CB60
              Function 000A356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,000AF910), ref: 000A3627
              • IsWindowVisible.USER32(?), ref: 000A364B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: BuffCharUpperVisibleWindow
              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
              • API String ID: 4105515805-45149045
              • Opcode ID: 1b7c92220afcfb440fed29d20154714fa2dcb30fa6bfc966861a4e5d7f44291c
              • Instruction ID: a19f31b5d10a562989652e1a543f7e83e9d30ae43f18a2e8825bf3b70111e090
              • Opcode Fuzzy Hash: 1b7c92220afcfb440fed29d20154714fa2dcb30fa6bfc966861a4e5d7f44291c
              • Instruction Fuzzy Hash: 2AD1C7702083119FCB14EF50C455AAE77E1AF56344F148469F88A6B3A3DF35DE0ACB96
              Function 000AA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
              Download Yara Rule
              APIs
              • SetTextColor.GDI32(?,00000000), ref: 000AA630
              • GetSysColorBrush.USER32(0000000F), ref: 000AA661
              • GetSysColor.USER32(0000000F), ref: 000AA66D
              • SetBkColor.GDI32(?,000000FF), ref: 000AA687
              • SelectObject.GDI32(?,00000000), ref: 000AA696
              • InflateRect.USER32(?,000000FF,000000FF), ref: 000AA6C1
              • GetSysColor.USER32(00000010), ref: 000AA6C9
              • CreateSolidBrush.GDI32(00000000), ref: 000AA6D0
              • FrameRect.USER32(?,?,00000000), ref: 000AA6DF
              • DeleteObject.GDI32(00000000), ref: 000AA6E6
              • InflateRect.USER32(?,000000FE,000000FE), ref: 000AA731
              • FillRect.USER32(?,?,00000000), ref: 000AA763
              • GetWindowLongW.USER32(?,000000F0), ref: 000AA78E
                • Part of subcall function 000AA8CA: GetSysColor.USER32(00000012), ref: 000AA903
                • Part of subcall function 000AA8CA: SetTextColor.GDI32(?,?), ref: 000AA907
                • Part of subcall function 000AA8CA: GetSysColorBrush.USER32(0000000F), ref: 000AA91D
                • Part of subcall function 000AA8CA: GetSysColor.USER32(0000000F), ref: 000AA928
                • Part of subcall function 000AA8CA: GetSysColor.USER32(00000011), ref: 000AA945
                • Part of subcall function 000AA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 000AA953
                • Part of subcall function 000AA8CA: SelectObject.GDI32(?,00000000), ref: 000AA964
                • Part of subcall function 000AA8CA: SetBkColor.GDI32(?,00000000), ref: 000AA96D
                • Part of subcall function 000AA8CA: SelectObject.GDI32(?,?), ref: 000AA97A
                • Part of subcall function 000AA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 000AA999
                • Part of subcall function 000AA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000AA9B0
                • Part of subcall function 000AA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 000AA9C5
                • Part of subcall function 000AA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000AA9ED
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
              • String ID:
              • API String ID: 3521893082-0
              • Opcode ID: 37101cb9aa612a39c9ee1e9807ebdf384d591f6818dcd76b8e5033863247f886
              • Instruction ID: e07283099faf9495aa7523544539ca330ae182e189d04fdc51f88dddca97db60
              • Opcode Fuzzy Hash: 37101cb9aa612a39c9ee1e9807ebdf384d591f6818dcd76b8e5033863247f886
              • Instruction Fuzzy Hash: E9917F71508B02AFD7509FA4DC08E6B7BE9FF4A321F100B29F5A2961E1D739D944CB52
              Function 000974AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(00000000), ref: 000974DE
              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0009759D
              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 000975DB
              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 000975ED
              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00097633
              • GetClientRect.USER32(00000000,?), ref: 0009763F
              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00097683
              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00097692
              • GetStockObject.GDI32(00000011), ref: 000976A2
              • SelectObject.GDI32(00000000,00000000), ref: 000976A6
              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 000976B6
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 000976BF
              • DeleteDC.GDI32(00000000), ref: 000976C8
              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 000976F4
              • SendMessageW.USER32(00000030,00000000,00000001), ref: 0009770B
              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00097746
              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0009775A
              • SendMessageW.USER32(00000404,00000001,00000000), ref: 0009776B
              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0009779B
              • GetStockObject.GDI32(00000011), ref: 000977A6
              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 000977B1
              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 000977BB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
              • API String ID: 2910397461-517079104
              • Opcode ID: 68206ac0bac2c628b694699e4032ebc38e757df9307ca98debf148df8d9e9949
              • Instruction ID: 192e448e9971e152f5a00f46e668161e93cd2456b8e8eb2bf68e8fca37429108
              • Opcode Fuzzy Hash: 68206ac0bac2c628b694699e4032ebc38e757df9307ca98debf148df8d9e9949
              • Instruction Fuzzy Hash: 35A19071A00615BFEB14DBA4DC4AFBE7BB9EB05715F004118FA14AB2E1C774AD00CB64
              Function 0008AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 0008AD1E
              • GetDriveTypeW.KERNEL32(?,000AFAC0,?,\\.\,000AF910), ref: 0008ADFB
              • SetErrorMode.KERNEL32(00000000,000AFAC0,?,\\.\,000AF910), ref: 0008AF59
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ErrorMode$DriveType
              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
              • API String ID: 2907320926-4222207086
              • Opcode ID: bd4f9741232e7dcf39821fb68565eb5cff522dad6e343ca7daca3562f015cc73
              • Instruction ID: 73beef95f2ee32224dd5ad163c1a348b2b24d34215f5bcaa68848364cc3b0ae5
              • Opcode Fuzzy Hash: bd4f9741232e7dcf39821fb68565eb5cff522dad6e343ca7daca3562f015cc73
              • Instruction Fuzzy Hash: 5D51A6B0744305ABAB50FB94C942DBD73A0FB4A710B208467E687ABB93DB709D41DB53
              Function 000268DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
              • API String ID: 1038674560-86951937
              • Opcode ID: 941b83950162ee0789215ce5afa21d39a180d7680068c9299e48f43714706f1f
              • Instruction ID: e54989272d022d33a7bff3adb214c612d8564084ebd1a52b305afcca771e8f19
              • Opcode Fuzzy Hash: 941b83950162ee0789215ce5afa21d39a180d7680068c9299e48f43714706f1f
              • Instruction Fuzzy Hash: 8C8106B1600225AACB25AA60EC86FFF77ACAF05700F045035FD45AB193EB72DE45C6A5
              Function 000A9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
              Download Yara Rule
              APIs
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 000A9AD2
              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 000A9B8B
              • SendMessageW.USER32(?,00001102,00000002,?), ref: 000A9BA7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend$Window
              • String ID: 0
              • API String ID: 2326795674-4108050209
              • Opcode ID: 7c66e621781d432d27ace73318450df84ec9b06d8a01337e31a110646d67a397
              • Instruction ID: da255a07c0839a7b926e446e5f2d33143914a164831703874e83f01663307d26
              • Opcode Fuzzy Hash: 7c66e621781d432d27ace73318450df84ec9b06d8a01337e31a110646d67a397
              • Instruction Fuzzy Hash: 4C02C030204601AFEB65CFA4CC48BABBBE5FF8A314F04852DF995D62A1C775D944CB92
              Function 000AA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000012), ref: 000AA903
              • SetTextColor.GDI32(?,?), ref: 000AA907
              • GetSysColorBrush.USER32(0000000F), ref: 000AA91D
              • GetSysColor.USER32(0000000F), ref: 000AA928
              • CreateSolidBrush.GDI32(?), ref: 000AA92D
              • GetSysColor.USER32(00000011), ref: 000AA945
              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 000AA953
              • SelectObject.GDI32(?,00000000), ref: 000AA964
              • SetBkColor.GDI32(?,00000000), ref: 000AA96D
              • SelectObject.GDI32(?,?), ref: 000AA97A
              • InflateRect.USER32(?,000000FF,000000FF), ref: 000AA999
              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000AA9B0
              • GetWindowLongW.USER32(00000000,000000F0), ref: 000AA9C5
              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000AA9ED
              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 000AAA14
              • InflateRect.USER32(?,000000FD,000000FD), ref: 000AAA32
              • DrawFocusRect.USER32(?,?), ref: 000AAA3D
              • GetSysColor.USER32(00000011), ref: 000AAA4B
              • SetTextColor.GDI32(?,00000000), ref: 000AAA53
              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 000AAA67
              • SelectObject.GDI32(?,000AA5FA), ref: 000AAA7E
              • DeleteObject.GDI32(?), ref: 000AAA89
              • SelectObject.GDI32(?,?), ref: 000AAA8F
              • DeleteObject.GDI32(?), ref: 000AAA94
              • SetTextColor.GDI32(?,?), ref: 000AAA9A
              • SetBkColor.GDI32(?,?), ref: 000AAAA4
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
              • String ID:
              • API String ID: 1996641542-0
              • Opcode ID: 994795c62ba323497447ea5ac1c5af7783da8b8e6c8309f587ce9c4c22ad9405
              • Instruction ID: 4938501f5633c3c3da3710f8d11d5259dd51cc7b748cff8ad273f46bda1db499
              • Opcode Fuzzy Hash: 994795c62ba323497447ea5ac1c5af7783da8b8e6c8309f587ce9c4c22ad9405
              • Instruction Fuzzy Hash: AC512C71900609FFEB119FE4DC48EEE7BB9EB0A320F114625FA11AB2A1D7759940DB90
              Function 000A89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 000A8AC1
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000A8AD2
              • CharNextW.USER32(0000014E), ref: 000A8B01
              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 000A8B42
              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 000A8B58
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000A8B69
              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 000A8B86
              • SetWindowTextW.USER32(?,0000014E), ref: 000A8BD8
              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 000A8BEE
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 000A8C1F
              • _memset.LIBCMT ref: 000A8C44
              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 000A8C8D
              • _memset.LIBCMT ref: 000A8CEC
              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 000A8D16
              • SendMessageW.USER32(?,00001074,?,00000001), ref: 000A8D6E
              • SendMessageW.USER32(?,0000133D,?,?), ref: 000A8E1B
              • InvalidateRect.USER32(?,00000000,00000001), ref: 000A8E3D
              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 000A8E87
              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 000A8EB4
              • DrawMenuBar.USER32(?), ref: 000A8EC3
              • SetWindowTextW.USER32(?,0000014E), ref: 000A8EEB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
              • String ID: 0
              • API String ID: 1073566785-4108050209
              • Opcode ID: 5677c46cf9a125e491db9187bf4a2b78fcbbf576970d29a76ea7694b648f700d
              • Instruction ID: 89242254dfdf3c6c9b50b97ea3a707c3b6b740f24d1b92fa9cfdfd283dc442ca
              • Opcode Fuzzy Hash: 5677c46cf9a125e491db9187bf4a2b78fcbbf576970d29a76ea7694b648f700d
              • Instruction Fuzzy Hash: 17E17270900219AFEF20DFA0CC84EFE7BB9EF0A710F148166F915AA191DB749980DF61
              Function 000A488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 000A49CA
              • GetDesktopWindow.USER32 ref: 000A49DF
              • GetWindowRect.USER32(00000000), ref: 000A49E6
              • GetWindowLongW.USER32(?,000000F0), ref: 000A4A48
              • DestroyWindow.USER32(?), ref: 000A4A74
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 000A4A9D
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000A4ABB
              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 000A4AE1
              • SendMessageW.USER32(?,00000421,?,?), ref: 000A4AF6
              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 000A4B09
              • IsWindowVisible.USER32(?), ref: 000A4B29
              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 000A4B44
              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 000A4B58
              • GetWindowRect.USER32(?,?), ref: 000A4B70
              • MonitorFromPoint.USER32(?,?,00000002), ref: 000A4B96
              • GetMonitorInfoW.USER32(00000000,?), ref: 000A4BB0
              • CopyRect.USER32(?,?), ref: 000A4BC7
              • SendMessageW.USER32(?,00000412,00000000), ref: 000A4C32
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
              • String ID: ($0$tooltips_class32
              • API String ID: 698492251-4156429822
              • Opcode ID: 079f047b1f1d3675653a4399e9e6c870d99b579ec7643f2e48fc0898954fc03b
              • Instruction ID: 81bc5366425745288598365cf36613d63adc537aa197d1c4207b2eea0944c52b
              • Opcode Fuzzy Hash: 079f047b1f1d3675653a4399e9e6c870d99b579ec7643f2e48fc0898954fc03b
              • Instruction Fuzzy Hash: 72B19C74604351AFDB44DFA4D844B6BBBE4BF85310F008A1CF5999B291D7B4EC05CB96
              Function 0008449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
              Download Yara Rule
              APIs
              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 000844AC
              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 000844D2
              • _wcscpy.LIBCMT ref: 00084500
              • _wcscmp.LIBCMT ref: 0008450B
              • _wcscat.LIBCMT ref: 00084521
              • _wcsstr.LIBCMT ref: 0008452C
              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00084548
              • _wcscat.LIBCMT ref: 00084591
              • _wcscat.LIBCMT ref: 00084598
              • _wcsncpy.LIBCMT ref: 000845C3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
              • API String ID: 699586101-1459072770
              • Opcode ID: bbf5b10362ccd098b40f58ff0febe4915f6905bb57b4a15ccc4178ec0ea6a5b8
              • Instruction ID: c4ff00e49611c3ea4dc5b22cccb4bfde0053862a67fea49fcd1bfa5df2353800
              • Opcode Fuzzy Hash: bbf5b10362ccd098b40f58ff0febe4915f6905bb57b4a15ccc4178ec0ea6a5b8
              • Instruction Fuzzy Hash: B841DBB1A002027BD711BAB58C47EFF77ACEF52710F04417AFA45E6183EB349A1197A9
              Function 000227D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
              Download Yara Rule
              APIs
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000228BC
              • GetSystemMetrics.USER32(00000007), ref: 000228C4
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000228EF
              • GetSystemMetrics.USER32(00000008), ref: 000228F7
              • GetSystemMetrics.USER32(00000004), ref: 0002291C
              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00022939
              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00022949
              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0002297C
              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00022990
              • GetClientRect.USER32(00000000,000000FF), ref: 000229AE
              • GetStockObject.GDI32(00000011), ref: 000229CA
              • SendMessageW.USER32(00000000,00000030,00000000), ref: 000229D5
                • Part of subcall function 00022344: GetCursorPos.USER32(?), ref: 00022357
                • Part of subcall function 00022344: ScreenToClient.USER32(000E57B0,?), ref: 00022374
                • Part of subcall function 00022344: GetAsyncKeyState.USER32(00000001), ref: 00022399
                • Part of subcall function 00022344: GetAsyncKeyState.USER32(00000002), ref: 000223A7
              • SetTimer.USER32(00000000,00000000,00000028,00021256), ref: 000229FC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
              • String ID: AutoIt v3 GUI
              • API String ID: 1458621304-248962490
              • Opcode ID: 63c3ae1a2b1897752175a1b56d27e604793e494fd9b22d043a86171ca967b220
              • Instruction ID: ea2b34f477d3d73896060f22ccb0986f85cce1781ed8218e75749ccbcb7f198e
              • Opcode Fuzzy Hash: 63c3ae1a2b1897752175a1b56d27e604793e494fd9b22d043a86171ca967b220
              • Instruction Fuzzy Hash: 9AB19171A0061AEFEB14DFA8DD45BAE77B4FB08315F104229FA15A7290DB74D851CB50
              Function 0007A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(?,?,00000100), ref: 0007A47A
              • __swprintf.LIBCMT ref: 0007A51B
              • _wcscmp.LIBCMT ref: 0007A52E
              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0007A583
              • _wcscmp.LIBCMT ref: 0007A5BF
              • GetClassNameW.USER32(?,?,00000400), ref: 0007A5F6
              • GetDlgCtrlID.USER32(?), ref: 0007A648
              • GetWindowRect.USER32(?,?), ref: 0007A67E
              • GetParent.USER32(?), ref: 0007A69C
              • ScreenToClient.USER32(00000000), ref: 0007A6A3
              • GetClassNameW.USER32(?,?,00000100), ref: 0007A71D
              • _wcscmp.LIBCMT ref: 0007A731
              • GetWindowTextW.USER32(?,?,00000400), ref: 0007A757
              • _wcscmp.LIBCMT ref: 0007A76B
                • Part of subcall function 0004362C: _iswctype.LIBCMT ref: 00043634
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
              • String ID: %s%u
              • API String ID: 3744389584-679674701
              • Opcode ID: 5199269cf6b9c3fe6ad2bcaf996724b04d363fc2cee877c6afc749349bba0166
              • Instruction ID: 12c096b4b7e4a9da30d6d8e0a97f6fbe1ef7aa014b1873fe83ae0c2ddd6a0e31
              • Opcode Fuzzy Hash: 5199269cf6b9c3fe6ad2bcaf996724b04d363fc2cee877c6afc749349bba0166
              • Instruction Fuzzy Hash: EEA1CF71704606ABD718DF64C884BAEB7E8FF85314F00C629F99DC2191DB38E945CBA6
              Function 0007AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(00000008,?,00000400), ref: 0007AF18
              • _wcscmp.LIBCMT ref: 0007AF29
              • GetWindowTextW.USER32(00000001,?,00000400), ref: 0007AF51
              • CharUpperBuffW.USER32(?,00000000), ref: 0007AF6E
              • _wcscmp.LIBCMT ref: 0007AF8C
              • _wcsstr.LIBCMT ref: 0007AF9D
              • GetClassNameW.USER32(00000018,?,00000400), ref: 0007AFD5
              • _wcscmp.LIBCMT ref: 0007AFE5
              • GetWindowTextW.USER32(00000002,?,00000400), ref: 0007B00C
              • GetClassNameW.USER32(00000018,?,00000400), ref: 0007B055
              • _wcscmp.LIBCMT ref: 0007B065
              • GetClassNameW.USER32(00000010,?,00000400), ref: 0007B08D
              • GetWindowRect.USER32(00000004,?), ref: 0007B0F6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
              • String ID: @$ThumbnailClass
              • API String ID: 1788623398-1539354611
              • Opcode ID: 55ceef73116c0c38f6a3f7380eb51ce25a79df576b8cd80e79b29a5f902bc116
              • Instruction ID: 49a3cf6dc5bd95fe60a7366b16c83f53916e9b8e314bf471e61a05fee7503a95
              • Opcode Fuzzy Hash: 55ceef73116c0c38f6a3f7380eb51ce25a79df576b8cd80e79b29a5f902bc116
              • Instruction Fuzzy Hash: D881C07150830A9FDB15DF50C881FAA7BE8EF85314F44C46AFD898A092DB38DD45CBA5
              Function 0007ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
              • API String ID: 1038674560-1810252412
              • Opcode ID: 7ad6233228715510ee2f10df0140a4afc36aad4c8801b17c439166491d254d53
              • Instruction ID: 0d69178b3b79836612b192a73ebf3da67c7261d758de9267fe72c24c5f04d0ca
              • Opcode Fuzzy Hash: 7ad6233228715510ee2f10df0140a4afc36aad4c8801b17c439166491d254d53
              • Instruction Fuzzy Hash: 14310430A48319BADA11EA54EE03EEE73A4AF51710F60402AF50D751D2FF656F04C66B
              Function 00094FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
              Download Yara Rule
              APIs
              • LoadCursorW.USER32(00000000,00007F8A), ref: 00095013
              • LoadCursorW.USER32(00000000,00007F00), ref: 0009501E
              • LoadCursorW.USER32(00000000,00007F03), ref: 00095029
              • LoadCursorW.USER32(00000000,00007F8B), ref: 00095034
              • LoadCursorW.USER32(00000000,00007F01), ref: 0009503F
              • LoadCursorW.USER32(00000000,00007F81), ref: 0009504A
              • LoadCursorW.USER32(00000000,00007F88), ref: 00095055
              • LoadCursorW.USER32(00000000,00007F80), ref: 00095060
              • LoadCursorW.USER32(00000000,00007F86), ref: 0009506B
              • LoadCursorW.USER32(00000000,00007F83), ref: 00095076
              • LoadCursorW.USER32(00000000,00007F85), ref: 00095081
              • LoadCursorW.USER32(00000000,00007F82), ref: 0009508C
              • LoadCursorW.USER32(00000000,00007F84), ref: 00095097
              • LoadCursorW.USER32(00000000,00007F04), ref: 000950A2
              • LoadCursorW.USER32(00000000,00007F02), ref: 000950AD
              • LoadCursorW.USER32(00000000,00007F89), ref: 000950B8
              • GetCursorInfo.USER32(?), ref: 000950C8
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Cursor$Load$Info
              • String ID:
              • API String ID: 2577412497-0
              • Opcode ID: d533aa87cae1a618d5af2a965fe9dfc9ec99fe539bf26bcfd7faae3480003b8d
              • Instruction ID: 68ceba28db5eea35fdf3fa7d8ebc25dc162e5e8be83c093f5048503a7dc8b3e1
              • Opcode Fuzzy Hash: d533aa87cae1a618d5af2a965fe9dfc9ec99fe539bf26bcfd7faae3480003b8d
              • Instruction Fuzzy Hash: 433107B1D487196ADF509FB68C899AFBFE8FF04750F50452AE50DE7280DA7865008F91
              Function 000AA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000AA259
              • DestroyWindow.USER32(?,?), ref: 000AA2D3
                • Part of subcall function 00027BCC: _memmove.LIBCMT ref: 00027C06
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 000AA34D
              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 000AA36F
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000AA382
              • DestroyWindow.USER32(00000000), ref: 000AA3A4
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00020000,00000000), ref: 000AA3DB
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000AA3F4
              • GetDesktopWindow.USER32 ref: 000AA40D
              • GetWindowRect.USER32(00000000), ref: 000AA414
              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 000AA42C
              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 000AA444
                • Part of subcall function 000225DB: GetWindowLongW.USER32(?,000000EB), ref: 000225EC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
              • String ID: 0$tooltips_class32
              • API String ID: 1297703922-3619404913
              • Opcode ID: 6f1cf9e2fd89dec204dadec7ed74c910619d48c1e24ec364c7532c04dc81ef74
              • Instruction ID: 0594ab93098a8965e450d6d9e0a5ef179e4a280885bdeb45b0e4f703fbbbfc4f
              • Opcode Fuzzy Hash: 6f1cf9e2fd89dec204dadec7ed74c910619d48c1e24ec364c7532c04dc81ef74
              • Instruction Fuzzy Hash: BD71BF71240645AFE721CF68CC48F6A77E5FB8E704F04492DF9859B2A1D774E902CB52
              Function 000AC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00022612: GetWindowLongW.USER32(?,000000EB), ref: 00022623
              • DragQueryPoint.SHELL32(?,?), ref: 000AC627
                • Part of subcall function 000AAB37: ClientToScreen.USER32(?,?), ref: 000AAB60
                • Part of subcall function 000AAB37: GetWindowRect.USER32(?,?), ref: 000AABD6
                • Part of subcall function 000AAB37: PtInRect.USER32(?,?,000AC014), ref: 000AABE6
              • SendMessageW.USER32(?,000000B0,?,?), ref: 000AC690
              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 000AC69B
              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 000AC6BE
              • _wcscat.LIBCMT ref: 000AC6EE
              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 000AC705
              • SendMessageW.USER32(?,000000B0,?,?), ref: 000AC71E
              • SendMessageW.USER32(?,000000B1,?,?), ref: 000AC735
              • SendMessageW.USER32(?,000000B1,?,?), ref: 000AC757
              • DragFinish.SHELL32(?), ref: 000AC75E
              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 000AC851
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
              • API String ID: 169749273-3440237614
              • Opcode ID: a8cd432b16548785874886670904bb19474d035dede8952943f504586bde2337
              • Instruction ID: f80ce648cc2913cfa409e5411b2719112ac6a61f4ce1bc25323238c09e5db7ec
              • Opcode Fuzzy Hash: a8cd432b16548785874886670904bb19474d035dede8952943f504586bde2337
              • Instruction Fuzzy Hash: 73618E71108301AFD701EFA4DC85DAFBBF8EF89750F04092EF595961A2DB709949CBA2
              Function 00087D1A Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(00000000), ref: 00087D5F
              • VariantCopy.OLEAUT32(00000000,?), ref: 00087D68
              • VariantClear.OLEAUT32(00000000), ref: 00087D74
              • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00087E62
              • __swprintf.LIBCMT ref: 00087E92
              • VarR8FromDec.OLEAUT32(?,?), ref: 00087EBE
              • VariantInit.OLEAUT32(?), ref: 00087F6F
              • SysFreeString.OLEAUT32(00000016), ref: 00088003
              • VariantClear.OLEAUT32(?), ref: 0008805D
              • VariantClear.OLEAUT32(?), ref: 0008806C
              • VariantInit.OLEAUT32(00000000), ref: 000880AA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
              • String ID: %4d%02d%02d%02d%02d%02d$Default
              • API String ID: 3730832054-3931177956
              • Opcode ID: 00515ab12f4a87cddd80cb7944d5540766fe8283ebbf23eec4ec09aaabf62b35
              • Instruction ID: ab49f4657e0993bfa81ffa98275fcb50351a2c8b96b75e3c854e9a5a34c23f3c
              • Opcode Fuzzy Hash: 00515ab12f4a87cddd80cb7944d5540766fe8283ebbf23eec4ec09aaabf62b35
              • Instruction Fuzzy Hash: A0D1E470A08616DBDB20FFA5D844BBEB7F4BF05300F248465E5899B289DB34EC44DBA1
              Function 000A4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 000A4424
              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000A446F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: BuffCharMessageSendUpper
              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
              • API String ID: 3974292440-4258414348
              • Opcode ID: d2ea11429155d7e81aa78130bd38f30c196fc5d8f75da6495f086d5928c2db4e
              • Instruction ID: 41f8aa46736c08f7775484a0182a8b87c95c33fc2a16ba8e3a7492ebc6350c28
              • Opcode Fuzzy Hash: d2ea11429155d7e81aa78130bd38f30c196fc5d8f75da6495f086d5928c2db4e
              • Instruction Fuzzy Hash: A691C0746047119FCB04EF60C451AAEB7E1AF86350F04886DF8966B3A3CB74ED09CB96
              Function 000AB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 000AB8B4
              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,000A91C2), ref: 000AB910
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000AB949
              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 000AB98C
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000AB9C3
              • FreeLibrary.KERNEL32(?), ref: 000AB9CF
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000AB9DF
              • DestroyIcon.USER32(?,?,?,?,?,000A91C2), ref: 000AB9EE
              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 000ABA0B
              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 000ABA17
                • Part of subcall function 00042EFD: __wcsicmp_l.LIBCMT ref: 00042F86
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
              • String ID: .dll$.exe$.icl
              • API String ID: 1212759294-1154884017
              • Opcode ID: 6d1fdf6eec7bc128a1874e595541c6e4026973da7ac9c37cd0b10c6b0f868930
              • Instruction ID: 1fa847888a62aa9d767bb931e2d0f276143e64bb51d6b4a88035d4cd9e93857e
              • Opcode Fuzzy Hash: 6d1fdf6eec7bc128a1874e595541c6e4026973da7ac9c37cd0b10c6b0f868930
              • Instruction Fuzzy Hash: BC61F071A00619BAEB14DFA4CC41FFE7BACEF0A721F104116FA15D61D2DB789990DBA0
              Function 0008DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
              Download Yara Rule
              APIs
              • GetLocalTime.KERNEL32(?), ref: 0008DCDC
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 0008DCEC
              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0008DCF8
              • __wsplitpath.LIBCMT ref: 0008DD56
              • _wcscat.LIBCMT ref: 0008DD6E
              • _wcscat.LIBCMT ref: 0008DD80
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0008DD95
              • SetCurrentDirectoryW.KERNEL32(?), ref: 0008DDA9
              • SetCurrentDirectoryW.KERNEL32(?), ref: 0008DDDB
              • SetCurrentDirectoryW.KERNEL32(?), ref: 0008DDFC
              • _wcscpy.LIBCMT ref: 0008DE08
              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0008DE47
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
              • String ID: *.*
              • API String ID: 3566783562-438819550
              • Opcode ID: 7eb133ac86f63e6d8e143b6afd0b2e1a7de1dc0112664921a3175b2415af3145
              • Instruction ID: 2a7da156b933d2c1e69907878df2fba99cbad3b77b3a77a611c613713e93dc89
              • Opcode Fuzzy Hash: 7eb133ac86f63e6d8e143b6afd0b2e1a7de1dc0112664921a3175b2415af3145
              • Instruction Fuzzy Hash: F7616A725043069FCB10EF60D844AAEB3E8FF89310F04492EF999C7292DB35E945CB92
              Function 00089C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
              Download Yara Rule
              APIs
              • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00089C7F
                • Part of subcall function 00027DE1: _memmove.LIBCMT ref: 00027E22
              • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00089CA0
              • __swprintf.LIBCMT ref: 00089CF9
              • __swprintf.LIBCMT ref: 00089D12
              • _wprintf.LIBCMT ref: 00089DB9
              • _wprintf.LIBCMT ref: 00089DD7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: LoadString__swprintf_wprintf$_memmove
              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
              • API String ID: 311963372-3080491070
              • Opcode ID: b83ca037fad87e73660eabf0ce57e9e025761e5773b9e90da0fc234801ab9ce9
              • Instruction ID: d3486ddd059ebf51118c13e134f68be2961da26d7b1eb8a32c0c6f14dd43e9f1
              • Opcode Fuzzy Hash: b83ca037fad87e73660eabf0ce57e9e025761e5773b9e90da0fc234801ab9ce9
              • Instruction Fuzzy Hash: B251917190061AAADF15FBE0DD86EFEB778AF04301F204065B609761A2EF352F58DB64
              Function 0008A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00029837: __itow.LIBCMT ref: 00029862
                • Part of subcall function 00029837: __swprintf.LIBCMT ref: 000298AC
              • CharLowerBuffW.USER32(?,?), ref: 0008A3CB
              • GetDriveTypeW.KERNEL32 ref: 0008A418
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0008A460
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0008A497
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0008A4C5
                • Part of subcall function 00027BCC: _memmove.LIBCMT ref: 00027C06
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
              • API String ID: 2698844021-4113822522
              • Opcode ID: 1328cb548a6309ed170664f1f23bc161b80197aa510ea515e0ce544ae80cc841
              • Instruction ID: 28e944e6dcbd18d34233ab9863fe6e11f518b3906676b9a330e4c8a401656032
              • Opcode Fuzzy Hash: 1328cb548a6309ed170664f1f23bc161b80197aa510ea515e0ce544ae80cc841
              • Instruction Fuzzy Hash: 92515F711043159FD700EF10D8919AAB3E4FF85718F14886EF89957262DB31ED09CB52
              Function 0007F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0005E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0007F8DF
              • LoadStringW.USER32(00000000,?,0005E029,00000001), ref: 0007F8E8
                • Part of subcall function 00027DE1: _memmove.LIBCMT ref: 00027E22
              • GetModuleHandleW.KERNEL32(00000000,000E5310,?,00000FFF,?,?,0005E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0007F90A
              • LoadStringW.USER32(00000000,?,0005E029,00000001), ref: 0007F90D
              • __swprintf.LIBCMT ref: 0007F95D
              • __swprintf.LIBCMT ref: 0007F96E
              • _wprintf.LIBCMT ref: 0007FA17
              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0007FA2E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
              • API String ID: 984253442-2268648507
              • Opcode ID: cb0127e9a54005c85886bdff15bb4ab52c3bc1c970a2758ad72eef617f36b0f5
              • Instruction ID: d592363bceddab95024dae95ba410d699441ebf99808291febc131c3bd47e6ab
              • Opcode Fuzzy Hash: cb0127e9a54005c85886bdff15bb4ab52c3bc1c970a2758ad72eef617f36b0f5
              • Instruction Fuzzy Hash: E0411D7280421AAACF15FBE0ED86EFE7778AF14301F104065B609B6093EA356F49CB65
              Function 000ABA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,000A9207,?,?), ref: 000ABA56
              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,000A9207,?,?,00000000,?), ref: 000ABA6D
              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,000A9207,?,?,00000000,?), ref: 000ABA78
              • CloseHandle.KERNEL32(00000000,?,?,?,?,000A9207,?,?,00000000,?), ref: 000ABA85
              • GlobalLock.KERNEL32(00000000), ref: 000ABA8E
              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,000A9207,?,?,00000000,?), ref: 000ABA9D
              • GlobalUnlock.KERNEL32(00000000), ref: 000ABAA6
              • CloseHandle.KERNEL32(00000000,?,?,?,?,000A9207,?,?,00000000,?), ref: 000ABAAD
              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,000A9207,?,?,00000000,?), ref: 000ABABE
              • OleLoadPicture.OLEAUT32(?,00000000,00000000,000B2CAC,?), ref: 000ABAD7
              • GlobalFree.KERNEL32(00000000), ref: 000ABAE7
              • GetObjectW.GDI32(00000000,00000018,?), ref: 000ABB0B
              • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 000ABB36
              • DeleteObject.GDI32(00000000), ref: 000ABB5E
              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 000ABB74
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
              • String ID:
              • API String ID: 3840717409-0
              • Opcode ID: 3a40a8cc76b3f31c31182a20229bd6150f1210dc53e640620219c45cf5391876
              • Instruction ID: 9c7675a175907db9df037bbfa25bfd21406499fb9cd9baa3bbf478988b829445
              • Opcode Fuzzy Hash: 3a40a8cc76b3f31c31182a20229bd6150f1210dc53e640620219c45cf5391876
              • Instruction Fuzzy Hash: 00412775600609EFEB219FA5DC88EBABBB8FB8A711F104168F905D7261D7749E01CB60
              Function 0008D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
              Download Yara Rule
              APIs
              • __wsplitpath.LIBCMT ref: 0008DA10
              • _wcscat.LIBCMT ref: 0008DA28
              • _wcscat.LIBCMT ref: 0008DA3A
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0008DA4F
              • SetCurrentDirectoryW.KERNEL32(?), ref: 0008DA63
              • GetFileAttributesW.KERNEL32(?), ref: 0008DA7B
              • SetFileAttributesW.KERNEL32(?,00000000), ref: 0008DA95
              • SetCurrentDirectoryW.KERNEL32(?), ref: 0008DAA7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
              • String ID: *.*
              • API String ID: 34673085-438819550
              • Opcode ID: dacd8680b819f34c6d587ebc038fd48cb5a6e8b6cd67e629b2645e813b12950a
              • Instruction ID: 61d8b382bf401115c0dbd78fa4f2909caa9894bcc69ccdfa60d30a5a31a8f78c
              • Opcode Fuzzy Hash: dacd8680b819f34c6d587ebc038fd48cb5a6e8b6cd67e629b2645e813b12950a
              • Instruction Fuzzy Hash: 898160715042419FCB64FF64C844AAEB7E8BF89710F188A2FF8C9C7291EA30D945CB52
              Function 000AC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00022612: GetWindowLongW.USER32(?,000000EB), ref: 00022623
              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 000AC1FC
              • GetFocus.USER32 ref: 000AC20C
              • GetDlgCtrlID.USER32(00000000), ref: 000AC217
              • _memset.LIBCMT ref: 000AC342
              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 000AC36D
              • GetMenuItemCount.USER32(?), ref: 000AC38D
              • GetMenuItemID.USER32(?,00000000), ref: 000AC3A0
              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 000AC3D4
              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 000AC41C
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000AC454
              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 000AC489
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
              • String ID: 0
              • API String ID: 1296962147-4108050209
              • Opcode ID: e067b48e7aedef826045fd214c61e38f1e4bc05c7d03d760018701dfa2e2ef09
              • Instruction ID: 8e7e6328093641aa42b7ef482f922c8e1ca2305eebff8630d485050960f92750
              • Opcode Fuzzy Hash: e067b48e7aedef826045fd214c61e38f1e4bc05c7d03d760018701dfa2e2ef09
              • Instruction Fuzzy Hash: E181A0716083019FEB60CFA4C894EBBBBE4FB8A714F01492DF99597291C770D905CB92
              Function 0009731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(00000000), ref: 0009738F
              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0009739B
              • CreateCompatibleDC.GDI32(?), ref: 000973A7
              • SelectObject.GDI32(00000000,?), ref: 000973B4
              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00097408
              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00097444
              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00097468
              • SelectObject.GDI32(00000006,?), ref: 00097470
              • DeleteObject.GDI32(?), ref: 00097479
              • DeleteDC.GDI32(00000006), ref: 00097480
              • ReleaseDC.USER32(00000000,?), ref: 0009748B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
              • String ID: (
              • API String ID: 2598888154-3887548279
              • Opcode ID: 453b36f91a4979f532d1b17dcc997864e3dd6db0576cb8387ee9312236bde8c4
              • Instruction ID: 9f3142f67c57c5c58cb10c3720121f1a727843ca69baf2f825588b6de4c28a70
              • Opcode Fuzzy Hash: 453b36f91a4979f532d1b17dcc997864e3dd6db0576cb8387ee9312236bde8c4
              • Instruction Fuzzy Hash: DD515A76904709EFDB24CFA8CC84EAEBBB9EF49310F14852DF999A7211C735A940DB50
              Function 00026A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00040957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00026B0C,?,00008000), ref: 00040973
                • Part of subcall function 00024750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00024743,?,?,000237AE,?), ref: 00024770
              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00026BAD
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00026CFA
                • Part of subcall function 0002586D: _wcscpy.LIBCMT ref: 000258A5
                • Part of subcall function 0004363D: _iswctype.LIBCMT ref: 00043645
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
              • API String ID: 537147316-1018226102
              • Opcode ID: 0656b1b6ac11cad61132ec82deceaf46c622fc96bd02f5138202912ec2cc201b
              • Instruction ID: 8273caec1535bc7694d7cf0e92f21c2b9cc63797bf9c632fccb53c1b983b17ac
              • Opcode Fuzzy Hash: 0656b1b6ac11cad61132ec82deceaf46c622fc96bd02f5138202912ec2cc201b
              • Instruction Fuzzy Hash: 2B02CD705083519FC724EF20D881AAFBBE5EF99354F10482DF8C9972A2DB31DA49CB52
              Function 00082D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00082D50
              • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00082DDD
              • GetMenuItemCount.USER32(000E5890), ref: 00082E66
              • DeleteMenu.USER32(000E5890,00000005,00000000,000000F5,?,?), ref: 00082EF6
              • DeleteMenu.USER32(000E5890,00000004,00000000), ref: 00082EFE
              • DeleteMenu.USER32(000E5890,00000006,00000000), ref: 00082F06
              • DeleteMenu.USER32(000E5890,00000003,00000000), ref: 00082F0E
              • GetMenuItemCount.USER32(000E5890), ref: 00082F16
              • SetMenuItemInfoW.USER32(000E5890,00000004,00000000,00000030), ref: 00082F4C
              • GetCursorPos.USER32(?), ref: 00082F56
              • SetForegroundWindow.USER32(00000000), ref: 00082F5F
              • TrackPopupMenuEx.USER32(000E5890,00000000,?,00000000,00000000,00000000), ref: 00082F72
              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00082F7E
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
              • String ID:
              • API String ID: 3993528054-0
              • Opcode ID: faf18dcf991781b5aec77cb58981ae6b495f6460297409639b297dc9efaf574c
              • Instruction ID: bd40936856ec3c4a590a496468f7e4f6fee813956ccf82de5f39068a44607a63
              • Opcode Fuzzy Hash: faf18dcf991781b5aec77cb58981ae6b495f6460297409639b297dc9efaf574c
              • Instruction Fuzzy Hash: 2A71F670600606BFFB21AF64DC85FAABFA8FF05724F100226F655AA1E1C7B55C20DB94
              Function 000777DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00027BCC: _memmove.LIBCMT ref: 00027C06
              • _memset.LIBCMT ref: 0007786B
              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 000778A0
              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 000778BC
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 000778D8
              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00077902
              • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0007792A
              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00077935
              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0007793A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
              • API String ID: 1411258926-22481851
              • Opcode ID: 4d723e5c5efad53cb54329a74a54a7de3e0a996299a00370d9e5e73cec24ddf3
              • Instruction ID: 2ad01e154d82f2e3bb9d6a5b9e09f372a49542edd3e1242be1d5ffced94f2dbf
              • Opcode Fuzzy Hash: 4d723e5c5efad53cb54329a74a54a7de3e0a996299a00370d9e5e73cec24ddf3
              • Instruction Fuzzy Hash: D5410872C1462DABDF11EFA4EC85DEDB7B8BF04350F40452AE909A7262EB345D04CB94
              Function 000A0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0009FDAD,?,?), ref: 000A0E31
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
              • API String ID: 3964851224-909552448
              • Opcode ID: 6bd07c8270c537ee71cf512ff3d84ae37bdf75af220f5f4ae7abec8467993d56
              • Instruction ID: d3e35fe3efb64ca7857e7ae93900ecb7bb5069ce233bfd535aa586cdfdfa7d6c
              • Opcode Fuzzy Hash: 6bd07c8270c537ee71cf512ff3d84ae37bdf75af220f5f4ae7abec8467993d56
              • Instruction Fuzzy Hash: 2541587114034A8FCF20EF90E865AEE37A4AF12344F144465FC592B693DB35AD6ACBA1
              Function 0007F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0005E2A0,00000010,?,Bad directive syntax error,000AF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0007F7C2
              • LoadStringW.USER32(00000000,?,0005E2A0,00000010), ref: 0007F7C9
                • Part of subcall function 00027DE1: _memmove.LIBCMT ref: 00027E22
              • _wprintf.LIBCMT ref: 0007F7FC
              • __swprintf.LIBCMT ref: 0007F81E
              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0007F88D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
              • API String ID: 1506413516-4153970271
              • Opcode ID: 752119fa80971e3498c1eeb6767d132db739d29783247ddaa88ec3b219c6fe16
              • Instruction ID: 6e60a1b9a8610903e2f0a94147092c85ad9f643827ce95bfdc3a2fa34f5c2d16
              • Opcode Fuzzy Hash: 752119fa80971e3498c1eeb6767d132db739d29783247ddaa88ec3b219c6fe16
              • Instruction Fuzzy Hash: 1121A03284021EEBCF11EFA0DC0AEFE7738BF18300F04446AF509661A2EA71A618CB55
              Function 000852C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00027BCC: _memmove.LIBCMT ref: 00027C06
                • Part of subcall function 00027924: _memmove.LIBCMT ref: 000279AD
              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00085330
              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00085346
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00085357
              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00085369
              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0008537A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: SendString$_memmove
              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
              • API String ID: 2279737902-1007645807
              • Opcode ID: a2de81398a734370238c2b0fdaba9eed3e9fae2af5317d0a1b11b1e0e6705524
              • Instruction ID: 5decb4dd0b2111c8cb421d94c8129546027aced379e8f89c7f53321551cf14e4
              • Opcode Fuzzy Hash: a2de81398a734370238c2b0fdaba9eed3e9fae2af5317d0a1b11b1e0e6705524
              • Instruction Fuzzy Hash: 7911B270A5422979D760B671DC4ADFF7BBCFB96B41F00042AB905A61D2EEA04D44C7B0
              Function 000846B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
              • String ID: 0.0.0.0
              • API String ID: 208665112-3771769585
              • Opcode ID: 4a75795c83db01ae1e96f3fbb3bffe5e19e3b9e0a16a3f5bb71b337191c1234f
              • Instruction ID: de082ea80f6adccd2492279b864e6346f786044b461cae2e9dff71f4f7a75280
              • Opcode Fuzzy Hash: 4a75795c83db01ae1e96f3fbb3bffe5e19e3b9e0a16a3f5bb71b337191c1234f
              • Instruction Fuzzy Hash: FB11E7719041166FDB60BB709C4AEEE7BBCEF02711F0401B6F58596092EF749A818754
              Function 00084F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
              Download Yara Rule
              APIs
              • timeGetTime.WINMM ref: 00084F7A
                • Part of subcall function 0004049F: timeGetTime.WINMM(?,7694B400,00030E7B), ref: 000404A3
              • Sleep.KERNEL32(0000000A), ref: 00084FA6
              • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00084FCA
              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00084FEC
              • SetActiveWindow.USER32 ref: 0008500B
              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00085019
              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00085038
              • Sleep.KERNEL32(000000FA), ref: 00085043
              • IsWindow.USER32 ref: 0008504F
              • EndDialog.USER32(00000000), ref: 00085060
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
              • String ID: BUTTON
              • API String ID: 1194449130-3405671355
              • Opcode ID: 6a37aa62e64db6a83d220dfb0171af7cf6f797284994db16c5aa43f9c0d50a55
              • Instruction ID: 4cc1f306cd9dafce4b2093a285a1d4c3107e58dc42de93d98a485d411710c213
              • Opcode Fuzzy Hash: 6a37aa62e64db6a83d220dfb0171af7cf6f797284994db16c5aa43f9c0d50a55
              • Instruction Fuzzy Hash: 94218071605E46AFF7106F70ECC8B363BA9FB56B86F041038F246951B2DB6A4D108B61
              Function 0008D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00029837: __itow.LIBCMT ref: 00029862
                • Part of subcall function 00029837: __swprintf.LIBCMT ref: 000298AC
              • CoInitialize.OLE32(00000000), ref: 0008D5EA
              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0008D67D
              • SHGetDesktopFolder.SHELL32(?), ref: 0008D691
              • CoCreateInstance.OLE32(000B2D7C,00000000,00000001,000D8C1C,?), ref: 0008D6DD
              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0008D74C
              • CoTaskMemFree.OLE32(?,?), ref: 0008D7A4
              • _memset.LIBCMT ref: 0008D7E1
              • SHBrowseForFolderW.SHELL32(?), ref: 0008D81D
              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0008D840
              • CoTaskMemFree.OLE32(00000000), ref: 0008D847
              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0008D87E
              • CoUninitialize.OLE32(00000001,00000000), ref: 0008D880
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
              • String ID:
              • API String ID: 1246142700-0
              • Opcode ID: 96048e574a25139060e7aa4cdf6b9b423c1832a4d5d50d73c593cae7fff2ccc9
              • Instruction ID: 588422b9d32aa3441294e0f49a08a40330766a7c38836abd7656d1fd718451d6
              • Opcode Fuzzy Hash: 96048e574a25139060e7aa4cdf6b9b423c1832a4d5d50d73c593cae7fff2ccc9
              • Instruction Fuzzy Hash: CEB1EC75A00119AFDB04DFA4C888DAEBBF9FF49314F1485A9E949DB261DB30ED41CB50
              Function 0007C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,00000001), ref: 0007C283
              • GetWindowRect.USER32(00000000,?), ref: 0007C295
              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0007C2F3
              • GetDlgItem.USER32(?,00000002), ref: 0007C2FE
              • GetWindowRect.USER32(00000000,?), ref: 0007C310
              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0007C364
              • GetDlgItem.USER32(?,000003E9), ref: 0007C372
              • GetWindowRect.USER32(00000000,?), ref: 0007C383
              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0007C3C6
              • GetDlgItem.USER32(?,000003EA), ref: 0007C3D4
              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0007C3F1
              • InvalidateRect.USER32(?,00000000,00000001), ref: 0007C3FE
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Window$ItemMoveRect$Invalidate
              • String ID:
              • API String ID: 3096461208-0
              • Opcode ID: 6b8922353f0d8f855916892e2d87fc932c2c7af81a2f60954fe3818d758a6a13
              • Instruction ID: 391dacafb518b32b2d57ce787031498b0f25f4576f1470e8047f0f8b29a73dbe
              • Opcode Fuzzy Hash: 6b8922353f0d8f855916892e2d87fc932c2c7af81a2f60954fe3818d758a6a13
              • Instruction Fuzzy Hash: 75514171B00605AFEB18CFA9DD89EBEBBB6EB88310F14812DF519D7290D7749D008B14
              Function 0002201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00021B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00022036,?,00000000,?,?,?,?,000216CB,00000000,?), ref: 00021B9A
              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 000220D3
              • KillTimer.USER32(-00000001,?,?,?,?,000216CB,00000000,?,?,00021AE2,?,?), ref: 0002216E
              • DestroyAcceleratorTable.USER32(00000000), ref: 0005BCA6
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000216CB,00000000,?,?,00021AE2,?,?), ref: 0005BCD7
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000216CB,00000000,?,?,00021AE2,?,?), ref: 0005BCEE
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000216CB,00000000,?,?,00021AE2,?,?), ref: 0005BD0A
              • DeleteObject.GDI32(00000000), ref: 0005BD1C
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
              • String ID:
              • API String ID: 641708696-0
              • Opcode ID: fee7c01317d9e11bc4e7e4d2d4796d8857701b58e4b220799713b02c893f88fb
              • Instruction ID: b2a0d973f2a1564154287bc9d637fd11e138d7204ddad763255ec700e361c95e
              • Opcode Fuzzy Hash: fee7c01317d9e11bc4e7e4d2d4796d8857701b58e4b220799713b02c893f88fb
              • Instruction Fuzzy Hash: BC61C131100A61EFEB359F54EE88B2A77F1FF51707F104928E9826A571CB78A891DB50
              Function 000221A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000225DB: GetWindowLongW.USER32(?,000000EB), ref: 000225EC
              • GetSysColor.USER32(0000000F), ref: 000221D3
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ColorLongWindow
              • String ID:
              • API String ID: 259745315-0
              • Opcode ID: b8b6a8ff6e85b1a7e00ee5ddf5f9164a573fde4b11621fdaa58482e92a7a3f0d
              • Instruction ID: ab432d3845c9644bd535c3ce8b52126f661febd19c6b8220aec2ee6832222849
              • Opcode Fuzzy Hash: b8b6a8ff6e85b1a7e00ee5ddf5f9164a573fde4b11621fdaa58482e92a7a3f0d
              • Instruction Fuzzy Hash: 4E41A431100550FFEB655FA8EC88BB93BA5EB06331F184365FE659A1E2C7368C46DB21
              Function 0008A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?,000AF910), ref: 0008A90B
              • GetDriveTypeW.KERNEL32(00000061,000D89A0,00000061), ref: 0008A9D5
              • _wcscpy.LIBCMT ref: 0008A9FF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: BuffCharDriveLowerType_wcscpy
              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
              • API String ID: 2820617543-1000479233
              • Opcode ID: 047e5fd2951bb2064835156aa3ff7fec652b08d568611a0cd7a45a6c1dda7b1f
              • Instruction ID: 9183a910c18a894b75fe1c074556277da78e201539924a96c7ce1006912a498b
              • Opcode Fuzzy Hash: 047e5fd2951bb2064835156aa3ff7fec652b08d568611a0cd7a45a6c1dda7b1f
              • Instruction Fuzzy Hash: C351AC312083019BD714EF14D892AAFB7E5FF86310F14482EF5DA576A2DB319909CB93
              Function 00029837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: __i64tow__itow__swprintf
              • String ID: %.15g$0x%p$False$True
              • API String ID: 421087845-2263619337
              • Opcode ID: 0da58f2d4449de164861187bd19affd0ad2b8d782d2748ad60d03d8ab6c0ba1d
              • Instruction ID: 77e12d51331f01c938294822f6708958568f91b9a25a8fc8cd7e323100eb88f1
              • Opcode Fuzzy Hash: 0da58f2d4449de164861187bd19affd0ad2b8d782d2748ad60d03d8ab6c0ba1d
              • Instruction Fuzzy Hash: AB41C771900616AFDB24DF34DC42EBA77E8FF45300F24447EEA49DB292EE35A9458B10
              Function 000A7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000A716A
              • CreateMenu.USER32 ref: 000A7185
              • SetMenu.USER32(?,00000000), ref: 000A7194
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000A7221
              • IsMenu.USER32(?), ref: 000A7237
              • CreatePopupMenu.USER32 ref: 000A7241
              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 000A726E
              • DrawMenuBar.USER32 ref: 000A7276
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
              • String ID: 0$F
              • API String ID: 176399719-3044882817
              • Opcode ID: 3fd001b3682b9bfea3df20f743188109f81991b67a7d9b448342c737171019ac
              • Instruction ID: 7befb6e5221362a9f4a7d907a67c5d6e15565c9b0f5beeeb37ac294c94d3b181
              • Opcode Fuzzy Hash: 3fd001b3682b9bfea3df20f743188109f81991b67a7d9b448342c737171019ac
              • Instruction Fuzzy Hash: 1C412574A01605EFEB20DFA4DD84BAA7BF5FB4A310F144428FA49A7361D735A910CB90
              Function 000A74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
              Download Yara Rule
              APIs
              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 000A755E
              • CreateCompatibleDC.GDI32(00000000), ref: 000A7565
              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 000A7578
              • SelectObject.GDI32(00000000,00000000), ref: 000A7580
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 000A758B
              • DeleteDC.GDI32(00000000), ref: 000A7594
              • GetWindowLongW.USER32(?,000000EC), ref: 000A759E
              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 000A75B2
              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 000A75BE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
              • String ID: static
              • API String ID: 2559357485-2160076837
              • Opcode ID: e85df5ea77f5f4d1405b66c54d945bca1edce9da15b2f44bb37ce47480772c2c
              • Instruction ID: d45b7d673d1fd9d0728b8dfe1eaa135963af705545e9d69672539f35bbf4357b
              • Opcode Fuzzy Hash: e85df5ea77f5f4d1405b66c54d945bca1edce9da15b2f44bb37ce47480772c2c
              • Instruction Fuzzy Hash: 93316F32504615BBEF129FB4DC08FEB3BA9FF0A360F114224FA59960A1C775D811DBA4
              Function 00046E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00046E3E
                • Part of subcall function 00048B28: __getptd_noexit.LIBCMT ref: 00048B28
              • __gmtime64_s.LIBCMT ref: 00046ED7
              • __gmtime64_s.LIBCMT ref: 00046F0D
              • __gmtime64_s.LIBCMT ref: 00046F2A
              • __allrem.LIBCMT ref: 00046F80
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00046F9C
              • __allrem.LIBCMT ref: 00046FB3
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00046FD1
              • __allrem.LIBCMT ref: 00046FE8
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00047006
              • __invoke_watson.LIBCMT ref: 00047077
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
              • String ID:
              • API String ID: 384356119-0
              • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
              • Instruction ID: 5d74dd6edc5dc58cfc5cdcc09d5897bf96724b0b9c3ab4c961aeafc7a22e6d3f
              • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
              • Instruction Fuzzy Hash: 0E7126F2A00716EBD714AE69DC41BABB3E8AF01364F108639F814D7282F771DD448B95
              Function 00082527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00082542
              • GetMenuItemInfoW.USER32(000E5890,000000FF,00000000,00000030), ref: 000825A3
              • SetMenuItemInfoW.USER32(000E5890,00000004,00000000,00000030), ref: 000825D9
              • Sleep.KERNEL32(000001F4), ref: 000825EB
              • GetMenuItemCount.USER32(?), ref: 0008262F
              • GetMenuItemID.USER32(?,00000000), ref: 0008264B
              • GetMenuItemID.USER32(?,-00000001), ref: 00082675
              • GetMenuItemID.USER32(?,?), ref: 000826BA
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00082700
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00082714
              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00082735
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
              • String ID:
              • API String ID: 4176008265-0
              • Opcode ID: 6d89c901bbc820b47cdd66dab045974fff2eb1e7ce22ce0f9b22371c0c34b128
              • Instruction ID: 8c0292d77b31e1cf6233d61a722085cb4668c7f15e18f8a069ef911db5c8a2f6
              • Opcode Fuzzy Hash: 6d89c901bbc820b47cdd66dab045974fff2eb1e7ce22ce0f9b22371c0c34b128
              • Instruction Fuzzy Hash: 0A61C27090464AAFEF21EFA4DD88DBE7BF8FB02304F140459E982A7251E735AD15DB21
              Function 000A6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 000A6FA5
              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 000A6FA8
              • GetWindowLongW.USER32(?,000000F0), ref: 000A6FCC
              • _memset.LIBCMT ref: 000A6FDD
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000A6FEF
              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 000A7067
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend$LongWindow_memset
              • String ID:
              • API String ID: 830647256-0
              • Opcode ID: 1542a8801ec09f533e7237d6c314aff6c61224ed9f7215e340e0bbb4f6eef5af
              • Instruction ID: eaa59843e7dfaba1816f8ad810ff06851db29f53e6137c063b997acaf6b650ee
              • Opcode Fuzzy Hash: 1542a8801ec09f533e7237d6c314aff6c61224ed9f7215e340e0bbb4f6eef5af
              • Instruction Fuzzy Hash: 45618C75900248EFDB10DFA8CC81EEE77F8EB0A714F144169FA14AB2A2C775AD41CB90
              Function 00076B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
              Download Yara Rule
              APIs
              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00076BBF
              • SafeArrayAllocData.OLEAUT32(?), ref: 00076C18
              • VariantInit.OLEAUT32(?), ref: 00076C2A
              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00076C4A
              • VariantCopy.OLEAUT32(?,?), ref: 00076C9D
              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00076CB1
              • VariantClear.OLEAUT32(?), ref: 00076CC6
              • SafeArrayDestroyData.OLEAUT32(?), ref: 00076CD3
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00076CDC
              • VariantClear.OLEAUT32(?), ref: 00076CEE
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00076CF9
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
              • String ID:
              • API String ID: 2706829360-0
              • Opcode ID: 3fce8155f2203476b0af670500e9d77a2e3e01c0e20cde02500399005f3198f8
              • Instruction ID: 277ef416005403f4fa78b5f59966aae1d348d754036c2ded82e70c590961fc2f
              • Opcode Fuzzy Hash: 3fce8155f2203476b0af670500e9d77a2e3e01c0e20cde02500399005f3198f8
              • Instruction Fuzzy Hash: 8A415135E005199FDF00DFA4D8449EEBBB9EF09350F00C069E956E7261DB35A945CB94
              Function 0007FD09 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 0007FD31
              • GetAsyncKeyState.USER32(000000A0), ref: 0007FDB2
              • GetKeyState.USER32(000000A0), ref: 0007FDCD
              • GetAsyncKeyState.USER32(000000A1), ref: 0007FDE7
              • GetKeyState.USER32(000000A1), ref: 0007FDFC
              • GetAsyncKeyState.USER32(00000011), ref: 0007FE14
              • GetKeyState.USER32(00000011), ref: 0007FE26
              • GetAsyncKeyState.USER32(00000012), ref: 0007FE3E
              • GetKeyState.USER32(00000012), ref: 0007FE50
              • GetAsyncKeyState.USER32(0000005B), ref: 0007FE68
              • GetKeyState.USER32(0000005B), ref: 0007FE7A
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: 367b55c698236e9deb9517e2c3b1e21a2c944fee657e51ed8773b8fc4707bbd4
              • Instruction ID: 877bc08a1c5dac53068e014b18a0d5e25a08ebb869468b36ca6cd44f5c7bb8bc
              • Opcode Fuzzy Hash: 367b55c698236e9deb9517e2c3b1e21a2c944fee657e51ed8773b8fc4707bbd4
              • Instruction Fuzzy Hash: A9418624D04BCB6DFFB19A7488143B5BAE16B11344F08C0B9D6C9471D2EBAC9DD487AA
              Function 000983BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00029837: __itow.LIBCMT ref: 00029862
                • Part of subcall function 00029837: __swprintf.LIBCMT ref: 000298AC
              • CoInitialize.OLE32 ref: 00098403
              • CoUninitialize.OLE32 ref: 0009840E
              • CoCreateInstance.OLE32(?,00000000,00000017,000B2BEC,?), ref: 0009846E
              • IIDFromString.OLE32(?,?), ref: 000984E1
              • VariantInit.OLEAUT32(?), ref: 0009857B
              • VariantClear.OLEAUT32(?), ref: 000985DC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
              • API String ID: 834269672-1287834457
              • Opcode ID: 88fc703f657a69c9e705b78dbf670522b93f44630fdb269252d490b518a1120d
              • Instruction ID: fe3da5394be4c3d1c3790e194bfeef456d05c382c23bfd95ce3e4cca8285c39c
              • Opcode Fuzzy Hash: 88fc703f657a69c9e705b78dbf670522b93f44630fdb269252d490b518a1120d
              • Instruction Fuzzy Hash: 3661BE706087129FDB10DF64C848FAEB7E8AF4A754F048419F9859B3A1CB74ED48DB92
              Function 00095732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
              Download Yara Rule
              APIs
              • WSAStartup.WSOCK32(00000101,?), ref: 00095793
              • inet_addr.WSOCK32(?), ref: 000957D8
              • gethostbyname.WSOCK32(?), ref: 000957E4
              • IcmpCreateFile.IPHLPAPI ref: 000957F2
              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00095862
              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00095878
              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 000958ED
              • WSACleanup.WSOCK32 ref: 000958F3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
              • String ID: Ping
              • API String ID: 1028309954-2246546115
              • Opcode ID: c0ea4b87bafcb4121754fbf96e8e98d9b2978c89dae2a9bd66c7945bd6fa0ba7
              • Instruction ID: b75f95e162a665a3c562588fa0d94afe5fbe6b6d2c93ae8e72a09ae2a8caa23f
              • Opcode Fuzzy Hash: c0ea4b87bafcb4121754fbf96e8e98d9b2978c89dae2a9bd66c7945bd6fa0ba7
              • Instruction Fuzzy Hash: 9851C131604B01DFEB21EF65DC45B6AB7E4EF45711F048929F996EB2A1DB30E800EB51
              Function 0008B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 0008B4D0
              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0008B546
              • GetLastError.KERNEL32 ref: 0008B550
              • SetErrorMode.KERNEL32(00000000,READY), ref: 0008B5BD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Error$Mode$DiskFreeLastSpace
              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
              • API String ID: 4194297153-14809454
              • Opcode ID: c981b644df018fd04182b5b0a4e744bce285b15e5995f86b0b4abcb64dc140f8
              • Instruction ID: aff509f6adad527067d0efdb9537ca12ce3eb5bd8975b17a0ca7b9f69b0a061f
              • Opcode Fuzzy Hash: c981b644df018fd04182b5b0a4e744bce285b15e5995f86b0b4abcb64dc140f8
              • Instruction Fuzzy Hash: DD31A135A00605DFDB20FB68D845FBE7BB4FF09310F108126E645DB292DB709A41CB91
              Function 00078F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00027DE1: _memmove.LIBCMT ref: 00027E22
                • Part of subcall function 0007AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0007AABC
              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00079014
              • GetDlgCtrlID.USER32 ref: 0007901F
              • GetParent.USER32 ref: 0007903B
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 0007903E
              • GetDlgCtrlID.USER32(?), ref: 00079047
              • GetParent.USER32(?), ref: 00079063
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00079066
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent$ClassName_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 1536045017-1403004172
              • Opcode ID: d11fdafa4f7ef3cb94255cb9f81b4134ade5376bda373b175823a31cde5938d9
              • Instruction ID: 6ab239c37615e3cc53d3640515735c14b8fcc278bfcdf2b9d4a6b1eb5d056e50
              • Opcode Fuzzy Hash: d11fdafa4f7ef3cb94255cb9f81b4134ade5376bda373b175823a31cde5938d9
              • Instruction Fuzzy Hash: 0D21C170E00209BFDF14ABA0CC85EFEBBB8EF4A310F104116F925972A2DB795815DB64
              Function 0007907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00027DE1: _memmove.LIBCMT ref: 00027E22
                • Part of subcall function 0007AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0007AABC
              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 000790FD
              • GetDlgCtrlID.USER32 ref: 00079108
              • GetParent.USER32 ref: 00079124
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00079127
              • GetDlgCtrlID.USER32(?), ref: 00079130
              • GetParent.USER32(?), ref: 0007914C
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 0007914F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent$ClassName_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 1536045017-1403004172
              • Opcode ID: 9e7703aee35dc08d3c387cf736ff8c4d35ec722bb2744976ce9b799021721d8f
              • Instruction ID: 6d452dfe218daea47493f1b85f5a7d8d575247e4cc8a064167c37a9b81d8acac
              • Opcode Fuzzy Hash: 9e7703aee35dc08d3c387cf736ff8c4d35ec722bb2744976ce9b799021721d8f
              • Instruction Fuzzy Hash: F0212974E00209BFDF10ABA0CC85EFEBBB8EF45300F004016F915972A2DB795825DB64
              Function 00079163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32 ref: 0007916F
              • GetClassNameW.USER32(00000000,?,00000100), ref: 00079184
              • _wcscmp.LIBCMT ref: 00079196
              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00079211
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ClassMessageNameParentSend_wcscmp
              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
              • API String ID: 1704125052-3381328864
              • Opcode ID: 79ae5ccd51baba624810ecd212f481aaf87481f7dc898c7ac3d1d83c274661a6
              • Instruction ID: 45002968cd0cf99bc9dadd897aa2a56afec3e666f97bbe1479e6d1c4a2fc4984
              • Opcode Fuzzy Hash: 79ae5ccd51baba624810ecd212f481aaf87481f7dc898c7ac3d1d83c274661a6
              • Instruction Fuzzy Hash: 27110A77688307BAFA213624DC16DE7779C9B15720B204027FA08E41D3FE659852559C
              Function 000988AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 000988D7
              • CoInitialize.OLE32(00000000), ref: 00098904
              • CoUninitialize.OLE32 ref: 0009890E
              • GetRunningObjectTable.OLE32(00000000,?), ref: 00098A0E
              • SetErrorMode.KERNEL32(00000001,00000029), ref: 00098B3B
              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,000B2C0C), ref: 00098B6F
              • CoGetObject.OLE32(?,00000000,000B2C0C,?), ref: 00098B92
              • SetErrorMode.KERNEL32(00000000), ref: 00098BA5
              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00098C25
              • VariantClear.OLEAUT32(?), ref: 00098C35
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
              • String ID:
              • API String ID: 2395222682-0
              • Opcode ID: 475028138b9016294f0ae633ffebd2f529521457e07483ee8fb27c1134fecd11
              • Instruction ID: 88e9b85f05fdf62119beda88c3aa321027f325f6c68dfcf5376ca9ff41b8ea77
              • Opcode Fuzzy Hash: 475028138b9016294f0ae633ffebd2f529521457e07483ee8fb27c1134fecd11
              • Instruction Fuzzy Hash: 10C125B1608305AFDB00DF64C88496BB7E9FF8A348F04895DF98A9B251DB71ED05CB52
              Function 00087990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
              Download Yara Rule
              APIs
              • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00087A6C
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ArraySafeVartype
              • String ID:
              • API String ID: 1725837607-0
              • Opcode ID: fe980724de626afe6996b37b17e48b8132a76d29b17cad463ba1d4c9b01e4a38
              • Instruction ID: 4e0fc791bb3a3b13189b93b143002debf377256609627a25f2ae69e409a47116
              • Opcode Fuzzy Hash: fe980724de626afe6996b37b17e48b8132a76d29b17cad463ba1d4c9b01e4a38
              • Instruction Fuzzy Hash: DFB18C7190421A9FDB10EFA4C884BFEBBF5FF49321F244429E689A7256D734E941CB90
              Function 0002FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
              Download Yara Rule
              APIs
              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0002FAA6
              • OleUninitialize.OLE32(?,00000000), ref: 0002FB45
              • UnregisterHotKey.USER32(?), ref: 0002FC9C
              • DestroyWindow.USER32(?), ref: 000645D6
              • FreeLibrary.KERNEL32(?), ref: 0006463B
              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00064668
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
              • String ID: close all
              • API String ID: 469580280-3243417748
              • Opcode ID: f974c60f220c8ed65b0222456a3e10ba21fe0405ea2c0bae0da5f854f658833c
              • Instruction ID: b68128da976714371dd8f0e62de40273c4971fc5c5647ca18530801d7c66573a
              • Opcode Fuzzy Hash: f974c60f220c8ed65b0222456a3e10ba21fe0405ea2c0bae0da5f854f658833c
              • Instruction Fuzzy Hash: 4DA19C70701222CFDB69EF14D995AB9F3A5BF05740F5442BDE80AAB262CB30AD16CF51
              Function 0007A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
              Download Yara Rule
              APIs
              • EnumChildWindows.USER32(?,0007A439), ref: 0007A377
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ChildEnumWindows
              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
              • API String ID: 3555792229-1603158881
              • Opcode ID: f71bd57bc31380ea0d70990a6e93a400c37f30dd3cd4a425b74fe7b282d6ece1
              • Instruction ID: 2c25dc6cbbcbb1fba04bdf281cb7e066b5a3334a0e3f727d600af13ff3943809
              • Opcode Fuzzy Hash: f71bd57bc31380ea0d70990a6e93a400c37f30dd3cd4a425b74fe7b282d6ece1
              • Instruction Fuzzy Hash: 2891F671B00606AACB48DFA4C451BEDFBB4BF45310F50C129E44DA3252DF356A99CBE9
              Function 00022E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
              Download Yara Rule
              APIs
              • SetWindowLongW.USER32(?,000000EB), ref: 00022EAE
                • Part of subcall function 00021DB3: GetClientRect.USER32(?,?), ref: 00021DDC
                • Part of subcall function 00021DB3: GetWindowRect.USER32(?,?), ref: 00021E1D
                • Part of subcall function 00021DB3: ScreenToClient.USER32(?,?), ref: 00021E45
              • GetDC.USER32 ref: 0005CD32
              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0005CD45
              • SelectObject.GDI32(00000000,00000000), ref: 0005CD53
              • SelectObject.GDI32(00000000,00000000), ref: 0005CD68
              • ReleaseDC.USER32(?,00000000), ref: 0005CD70
              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0005CDFB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
              • String ID: U
              • API String ID: 4009187628-3372436214
              • Opcode ID: d96c5e68b425d4b3a0c39382aa53212dff29a12e37e48fe18f768ebcbdcd990f
              • Instruction ID: 0772cfc49e034a4c398a379a689b549be1488417b9ddf7257625e5766159d36a
              • Opcode Fuzzy Hash: d96c5e68b425d4b3a0c39382aa53212dff29a12e37e48fe18f768ebcbdcd990f
              • Instruction Fuzzy Hash: F871BD31400205EFEF618FA4DC80EEB7BB5FF49326F14466AED559A2A6C7348C84DB60
              Function 00091A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
              Download Yara Rule
              APIs
              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00091A50
              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00091A7C
              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00091ABE
              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00091AD3
              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00091AE0
              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00091B10
              • InternetCloseHandle.WININET(00000000), ref: 00091B57
                • Part of subcall function 00092483: GetLastError.KERNEL32(?,?,00091817,00000000,00000000,00000001), ref: 00092498
                • Part of subcall function 00092483: SetEvent.KERNEL32(?,?,00091817,00000000,00000000,00000001), ref: 000924AD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
              • String ID:
              • API String ID: 2603140658-3916222277
              • Opcode ID: c4a5e969eaa483d6cbff5b45f22ae2e3769bdd0bd4558090462e523d8c2ac099
              • Instruction ID: e9aedccb12ab4b86b9582b747820b97c69a86afe273932418080b7c06e8b4ba2
              • Opcode Fuzzy Hash: c4a5e969eaa483d6cbff5b45f22ae2e3769bdd0bd4558090462e523d8c2ac099
              • Instruction Fuzzy Hash: DF417FB160161ABFEF118F50CC89FFE7BADEF09354F004126F9059A191E7749E44ABA1
              Function 00098C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,000AF910), ref: 00098D28
              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,000AF910), ref: 00098D5C
              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00098ED6
              • SysFreeString.OLEAUT32(?), ref: 00098F00
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Free$FileLibraryModuleNamePathQueryStringType
              • String ID:
              • API String ID: 560350794-0
              • Opcode ID: 84f238c59ca5f72790dda1dca56ec30234c4b5f1c9d69d9210265ed37b15c450
              • Instruction ID: 5daa8ed4c3f55667233ea457d5c263c74a7ec437df5764d4b625fa5c11b47eaa
              • Opcode Fuzzy Hash: 84f238c59ca5f72790dda1dca56ec30234c4b5f1c9d69d9210265ed37b15c450
              • Instruction Fuzzy Hash: 41F14771A00209AFDF54DF98C884EEEB7B9FF89314F108498F915AB251DB31AE45DB90
              Function 0009F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0009F6B5
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0009F848
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0009F86C
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0009F8AC
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0009F8CE
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0009FA4A
              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0009FA7C
              • CloseHandle.KERNEL32(?), ref: 0009FAAB
              • CloseHandle.KERNEL32(?), ref: 0009FB22
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
              • String ID:
              • API String ID: 4090791747-0
              • Opcode ID: a6a64e20898b3294c8459a17b584141aadd737efe32a1db5ef885ebdc1a16ab5
              • Instruction ID: 7cd8c5260fa7dd54c787aa584a74824f77881fd15d4b77361d28d34e1532d65c
              • Opcode Fuzzy Hash: a6a64e20898b3294c8459a17b584141aadd737efe32a1db5ef885ebdc1a16ab5
              • Instruction Fuzzy Hash: 7EE1BF716043029FCB15EF24C881BBABBE5EF85354F18856DF8999B2A2CB31DC41DB52
              Function 00084CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00083697,?), ref: 0008468B
                • Part of subcall function 0008466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00083697,?), ref: 000846A4
                • Part of subcall function 00084A31: GetFileAttributesW.KERNEL32(?,0008370B), ref: 00084A32
              • lstrcmpiW.KERNEL32(?,?), ref: 00084D40
              • _wcscmp.LIBCMT ref: 00084D5A
              • MoveFileW.KERNEL32(?,?), ref: 00084D75
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
              • String ID:
              • API String ID: 793581249-0
              • Opcode ID: 3dadbf0ccfe7873710b9ee29c741a2d9a92039b0277382de44ee4a2485ac7efa
              • Instruction ID: 13aaa46d24e98278f66f0ffeb2fb0d5770cabe9b9bf0c4b04fa218e6de55e667
              • Opcode Fuzzy Hash: 3dadbf0ccfe7873710b9ee29c741a2d9a92039b0277382de44ee4a2485ac7efa
              • Instruction Fuzzy Hash: 395144B25083459BC765EBA0DC819DFB3ECAF85350F40092EB6C9D3152EF74A588C756
              Function 000A8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 000A86FF
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID:
              • API String ID: 634782764-0
              • Opcode ID: c9ef8ed2d181b63f67353897d94d3a745d12ce2e9f50a392b0438434e54d1624
              • Instruction ID: e0c9deee47a137ec18996a25bf6160ce1578b487b55a677404e826352458ed79
              • Opcode Fuzzy Hash: c9ef8ed2d181b63f67353897d94d3a745d12ce2e9f50a392b0438434e54d1624
              • Instruction Fuzzy Hash: 8E51C130604254BEEB749BA8DC85FED7BA5EB07760F608125F950EA1A1DF76E980CB40
              Function 00022B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0005C2F7
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0005C319
              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0005C331
              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0005C34F
              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0005C370
              • DestroyIcon.USER32(00000000), ref: 0005C37F
              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0005C39C
              • DestroyIcon.USER32(?), ref: 0005C3AB
                • Part of subcall function 000AA4AF: DeleteObject.GDI32(00000000), ref: 000AA4E8
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
              • String ID:
              • API String ID: 2819616528-0
              • Opcode ID: 2414dbc7b14fcd12f5f35efc6c0a4981d0b5707bf70491a115ce337d296dbd97
              • Instruction ID: fa661b04686473a7723ad6b8e8b5c7d8ddf0892a977a3879300719daac4f3fd3
              • Opcode Fuzzy Hash: 2414dbc7b14fcd12f5f35efc6c0a4981d0b5707bf70491a115ce337d296dbd97
              • Instruction Fuzzy Hash: 5E515870A00719EFEB20DFA4DC45FAE3BE5EB49711F104528F942A72A0DB74AD90DB50
              Function 0007966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0007A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0007A84C
                • Part of subcall function 0007A82C: GetCurrentThreadId.KERNEL32 ref: 0007A853
                • Part of subcall function 0007A82C: AttachThreadInput.USER32(00000000,?,00079683,?,00000001), ref: 0007A85A
              • MapVirtualKeyW.USER32(00000025,00000000), ref: 0007968E
              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 000796AB
              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 000796AE
              • MapVirtualKeyW.USER32(00000025,00000000), ref: 000796B7
              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 000796D5
              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 000796D8
              • MapVirtualKeyW.USER32(00000025,00000000), ref: 000796E1
              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 000796F8
              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 000796FB
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
              • String ID:
              • API String ID: 2014098862-0
              • Opcode ID: f6b2212b9db71968dee2fded102d704d69653d06aef5cb04467e385664eca720
              • Instruction ID: f3ffb80e29b73b7b689ab4d9d78829482370eb2b9e974754842c62497a2e9922
              • Opcode Fuzzy Hash: f6b2212b9db71968dee2fded102d704d69653d06aef5cb04467e385664eca720
              • Instruction Fuzzy Hash: D711E571910A19BEF6106FA0DC89F7A3B1DEB4D750F100425F244AB0E1C9F65C11DAA8
              Function 00078921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0007853C,00000B00,?,?), ref: 0007892A
              • HeapAlloc.KERNEL32(00000000,?,0007853C,00000B00,?,?), ref: 00078931
              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0007853C,00000B00,?,?), ref: 00078946
              • GetCurrentProcess.KERNEL32(?,00000000,?,0007853C,00000B00,?,?), ref: 0007894E
              • DuplicateHandle.KERNEL32(00000000,?,0007853C,00000B00,?,?), ref: 00078951
              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0007853C,00000B00,?,?), ref: 00078961
              • GetCurrentProcess.KERNEL32(0007853C,00000000,?,0007853C,00000B00,?,?), ref: 00078969
              • DuplicateHandle.KERNEL32(00000000,?,0007853C,00000B00,?,?), ref: 0007896C
              • CreateThread.KERNEL32(00000000,00000000,00078992,00000000,00000000,00000000), ref: 00078986
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
              • String ID:
              • API String ID: 1957940570-0
              • Opcode ID: dd237f7d9486022cf79dbbcaaa48ac265bee08d045e71797477bf0fdf32329ec
              • Instruction ID: 730c11b1066bdb808c4cd8558e9967651656bef62f5285e6d3676d2dc35ba248
              • Opcode Fuzzy Hash: dd237f7d9486022cf79dbbcaaa48ac265bee08d045e71797477bf0fdf32329ec
              • Instruction Fuzzy Hash: 0201BBB5640709FFF760ABA5DC4DF6B3BACEB89711F418421FA05DB1A1DA749800CB20
              Function 00099B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID:
              • String ID: NULL Pointer assignment$Not an Object type
              • API String ID: 0-572801152
              • Opcode ID: 181c747d8c08a6223d39c0f7f57d5e2aea763f0881a2c4e8b14738cda1efb122
              • Instruction ID: 17408e2500b340b0b72ecb7b5de4b32673ab0f5b25a8d93c43c567a1b8cbde91
              • Opcode Fuzzy Hash: 181c747d8c08a6223d39c0f7f57d5e2aea763f0881a2c4e8b14738cda1efb122
              • Instruction Fuzzy Hash: 2FC19071A0020A9FDF10DFA8D884AEEB7F5FF48314F14846DE905AB281E771AD41DBA0
              Function 00099113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Variant$ClearInit$_memset
              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
              • API String ID: 2862541840-625585964
              • Opcode ID: ecf020c0434e8724237d0a2a19cae6e3b1b3fe096e5d3f2840a60a3bb60f7edd
              • Instruction ID: 1ef7720eca2e0e9e692128fff35127472ed73948d1840a24555baa7060c4ab55
              • Opcode Fuzzy Hash: ecf020c0434e8724237d0a2a19cae6e3b1b3fe096e5d3f2840a60a3bb60f7edd
              • Instruction Fuzzy Hash: B2919D71A00219EBDF24DFA9C848FAEBBB8EF45710F10815EF515AB281D7709A45DFA0
              Function 0009975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0007710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00077044,80070057,?,?,?,00077455), ref: 00077127
                • Part of subcall function 0007710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00077044,80070057,?,?), ref: 00077142
                • Part of subcall function 0007710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00077044,80070057,?,?), ref: 00077150
                • Part of subcall function 0007710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00077044,80070057,?), ref: 00077160
              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00099806
              • _memset.LIBCMT ref: 00099813
              • _memset.LIBCMT ref: 00099956
              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00099982
              • CoTaskMemFree.OLE32(?), ref: 0009998D
              Strings
              • NULL Pointer assignment, xrefs: 000999DB
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
              • String ID: NULL Pointer assignment
              • API String ID: 1300414916-2785691316
              • Opcode ID: da7be3fb0b1be9b05681afc052c92575cc3f71a1a29c9aa29c00d45af1e41009
              • Instruction ID: 0e79847c5898832bdce1128552f22060baec36a37892c536a4113d439dc4b1b6
              • Opcode Fuzzy Hash: da7be3fb0b1be9b05681afc052c92575cc3f71a1a29c9aa29c00d45af1e41009
              • Instruction Fuzzy Hash: F7911671D00229ABDF10DFA5DC85ADEBBB9AF09310F20415AF519A7291DB719A44CFA0
              Function 000A6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 000A6E24
              • SendMessageW.USER32(?,00001036,00000000,?), ref: 000A6E38
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 000A6E52
              • _wcscat.LIBCMT ref: 000A6EAD
              • SendMessageW.USER32(?,00001057,00000000,?), ref: 000A6EC4
              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 000A6EF2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend$Window_wcscat
              • String ID: SysListView32
              • API String ID: 307300125-78025650
              • Opcode ID: 8cb44e2ef5c4b143d2105d2837b6ede62cd6cedcdd72a740f9457d9e05463c0a
              • Instruction ID: 81f19a366fb6563c508274f5ffa138adc06275f0e3263aba8bdf6e4d1c69daa7
              • Opcode Fuzzy Hash: 8cb44e2ef5c4b143d2105d2837b6ede62cd6cedcdd72a740f9457d9e05463c0a
              • Instruction Fuzzy Hash: 38418F70A00349EBEB21DFA4CC85BEA77F8EF09350F14052AF585E7292D6769D848B60
              Function 0009E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00083C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00083C7A
                • Part of subcall function 00083C55: Process32FirstW.KERNEL32(00000000,?), ref: 00083C88
                • Part of subcall function 00083C55: CloseHandle.KERNEL32(00000000), ref: 00083D52
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0009E9A4
              • GetLastError.KERNEL32 ref: 0009E9B7
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0009E9E6
              • TerminateProcess.KERNEL32(00000000,00000000), ref: 0009EA63
              • GetLastError.KERNEL32(00000000), ref: 0009EA6E
              • CloseHandle.KERNEL32(00000000), ref: 0009EAA3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
              • String ID: SeDebugPrivilege
              • API String ID: 2533919879-2896544425
              • Opcode ID: dd4a54e378fefa6172643f6bd3f9e6001ea287c20da64052011421a188e3cd23
              • Instruction ID: 549f59d30bce4e4ca6893f37569b7aed3daf6f3acf74e99866677f7facc5a369
              • Opcode Fuzzy Hash: dd4a54e378fefa6172643f6bd3f9e6001ea287c20da64052011421a188e3cd23
              • Instruction Fuzzy Hash: 5841B9716006019FDB24EF64CCA5FAEB7A5BF40310F088459F9469B2D3CB79AD04DB96
              Function 00082F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00000000,00007F03), ref: 00083033
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: IconLoad
              • String ID: blank$info$question$stop$warning
              • API String ID: 2457776203-404129466
              • Opcode ID: 1eca1526fa388268ab0320ca196182ec1f6d8030f54931aa1608b3b590778554
              • Instruction ID: 8cd9c7c7180a77d92423e011d03ace5694e94805e6979c731571479534277786
              • Opcode Fuzzy Hash: 1eca1526fa388268ab0320ca196182ec1f6d8030f54931aa1608b3b590778554
              • Instruction Fuzzy Hash: 63112B31348746BEE724AA55DC52CAF77DCAF15720B10403AFA40AA282DB709F405FA4
              Function 000842F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00084312
              • LoadStringW.USER32(00000000), ref: 00084319
              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0008432F
              • LoadStringW.USER32(00000000), ref: 00084336
              • _wprintf.LIBCMT ref: 0008435C
              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0008437A
              Strings
              • %s (%d) : ==> %s: %s %s, xrefs: 00084357
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: HandleLoadModuleString$Message_wprintf
              • String ID: %s (%d) : ==> %s: %s %s
              • API String ID: 3648134473-3128320259
              • Opcode ID: 6490ae14f21bc5201927068ba6f103c8b50e0515805bbfd0337bb39318018b2b
              • Instruction ID: afa961f20ded453dbc4f53df256c8678bc6167a91533c93d92ea5fe9d1326622
              • Opcode Fuzzy Hash: 6490ae14f21bc5201927068ba6f103c8b50e0515805bbfd0337bb39318018b2b
              • Instruction Fuzzy Hash: 160162F2940209BFE761A7E0DD89EFB776CEB09300F0045B1B745E6051EA785E854B74
              Function 000AD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00022612: GetWindowLongW.USER32(?,000000EB), ref: 00022623
              • GetSystemMetrics.USER32(0000000F), ref: 000AD47C
              • GetSystemMetrics.USER32(0000000F), ref: 000AD49C
              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 000AD6D7
              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 000AD6F5
              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 000AD716
              • ShowWindow.USER32(00000003,00000000), ref: 000AD735
              • InvalidateRect.USER32(?,00000000,00000001), ref: 000AD75A
              • DefDlgProcW.USER32(?,00000005,?,?), ref: 000AD77D
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
              • String ID:
              • API String ID: 1211466189-0
              • Opcode ID: 779e9f7c7123b6787837a4e635eee079599a4bad6e18cc63dd1e8b485a7be92b
              • Instruction ID: c97f2d38435c7a247e1fbecb92723b3ea5ec6f23879862c7699e1c5dc9d35dc6
              • Opcode Fuzzy Hash: 779e9f7c7123b6787837a4e635eee079599a4bad6e18cc63dd1e8b485a7be92b
              • Instruction Fuzzy Hash: 1AB18B75600615EBDF18CFA8C9C57AD7BF1BF09701F08806AEC4AAF695E734A950CB90
              Function 00022A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0005C1C7,00000004,00000000,00000000,00000000), ref: 00022ACF
              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0005C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00022B17
              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0005C1C7,00000004,00000000,00000000,00000000), ref: 0005C21A
              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0005C1C7,00000004,00000000,00000000,00000000), ref: 0005C286
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ShowWindow
              • String ID:
              • API String ID: 1268545403-0
              • Opcode ID: ac072efcec7f207168719e1d960e1e0d01a18b11e70b020b4ba2fffb0eb9ad86
              • Instruction ID: 088ff4bdc606fcf2f8e3d35e5e5b4d4a204b9cef195a731b968adc3128d5c34a
              • Opcode Fuzzy Hash: ac072efcec7f207168719e1d960e1e0d01a18b11e70b020b4ba2fffb0eb9ad86
              • Instruction Fuzzy Hash: 93413B30608B90BFE7758BA8EC8CB7F7BD2AB46301F15882DE44796961CA359885D712
              Function 000870C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,000001F5), ref: 000870DD
                • Part of subcall function 00040DB6: std::exception::exception.LIBCMT ref: 00040DEC
                • Part of subcall function 00040DB6: __CxxThrowException@8.LIBCMT ref: 00040E01
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00087114
              • EnterCriticalSection.KERNEL32(?), ref: 00087130
              • _memmove.LIBCMT ref: 0008717E
              • _memmove.LIBCMT ref: 0008719B
              • LeaveCriticalSection.KERNEL32(?), ref: 000871AA
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 000871BF
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 000871DE
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
              • String ID:
              • API String ID: 256516436-0
              • Opcode ID: a578971f5491ee48df113570ffe80fc78c83779fa39f5a17f381bb445ea5bae7
              • Instruction ID: 2321566f9523c6fab6136cbac3c51265e16682a254cb0a811ae0a2f7c0d39315
              • Opcode Fuzzy Hash: a578971f5491ee48df113570ffe80fc78c83779fa39f5a17f381bb445ea5bae7
              • Instruction Fuzzy Hash: 5B316E71900205EBDF10EFA5DC89AAAB7B8FF45710F1441B5ED04AB246DB34EA14CB64
              Function 000A61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(00000000), ref: 000A61EB
              • GetDC.USER32(00000000), ref: 000A61F3
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 000A61FE
              • ReleaseDC.USER32(00000000,00000000), ref: 000A620A
              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 000A6246
              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 000A6257
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,000A902A,?,?,000000FF,00000000,?,000000FF,?), ref: 000A6291
              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 000A62B1
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
              • String ID:
              • API String ID: 3864802216-0
              • Opcode ID: c0a20ed4cdb3f2a05824a9b420c6fce611fb2a6bc0338f4de6f34b11cfb01bf2
              • Instruction ID: 3e96987a74fe35a0ff786fef2555c24180a90454531df049d1810069c54f9352
              • Opcode Fuzzy Hash: c0a20ed4cdb3f2a05824a9b420c6fce611fb2a6bc0338f4de6f34b11cfb01bf2
              • Instruction Fuzzy Hash: 02314F72101614BFEB118F90CC8AFFB3FA9EF4A765F084065FE089A192C6799C41CB64
              Function 0007BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _memcmp
              • String ID:
              • API String ID: 2931989736-0
              • Opcode ID: 3ca567e81c5951c650a5dfef1e70c55f489cb081191fc28a2026c6283c05cc9b
              • Instruction ID: 78eb77de32a3f2a9f8c52cf02eca5157e392acce9fbca3221a5c8139b46d76b7
              • Opcode Fuzzy Hash: 3ca567e81c5951c650a5dfef1e70c55f489cb081191fc28a2026c6283c05cc9b
              • Instruction Fuzzy Hash: D321A1B1B012097BA6157611DD52FFF779DAF50348F08C020FE0C9A647EBA8EE1582AD
              Function 0008EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00029837: __itow.LIBCMT ref: 00029862
                • Part of subcall function 00029837: __swprintf.LIBCMT ref: 000298AC
                • Part of subcall function 0003FC86: _wcscpy.LIBCMT ref: 0003FCA9
              • _wcstok.LIBCMT ref: 0008EC94
              • _wcscpy.LIBCMT ref: 0008ED23
              • _memset.LIBCMT ref: 0008ED56
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
              • String ID: X
              • API String ID: 774024439-3081909835
              • Opcode ID: 26883515862f6a2b2c47fb43869731ef942304e91df37704f434ef9e80083157
              • Instruction ID: 4c511d1d1b7efdd08cb19e5e20ec5e6383781f2401df4f3df6e2edfca0072d7a
              • Opcode Fuzzy Hash: 26883515862f6a2b2c47fb43869731ef942304e91df37704f434ef9e80083157
              • Instruction Fuzzy Hash: EFC19D716087519FC764EF24D885AAAB7E4FF85310F00492DF9999B2A3DB30EC45CB86
              Function 00096B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
              Download Yara Rule
              APIs
              • __WSAFDIsSet.WSOCK32(00000000,?), ref: 00096C00
              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00096C21
              • WSAGetLastError.WSOCK32(00000000), ref: 00096C34
              • htons.WSOCK32(?), ref: 00096CEA
              • inet_ntoa.WSOCK32(?), ref: 00096CA7
                • Part of subcall function 0007A7E9: _strlen.LIBCMT ref: 0007A7F3
                • Part of subcall function 0007A7E9: _memmove.LIBCMT ref: 0007A815
              • _strlen.LIBCMT ref: 00096D44
              • _memmove.LIBCMT ref: 00096DAD
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
              • String ID:
              • API String ID: 3619996494-0
              • Opcode ID: 0992dd0ffb32cbaabf84eae43416e7320e7446973297ef7bb3a3810b52933f12
              • Instruction ID: 8801d2d1ca20b557b66a82dfae7c379a59d9a92a11e319e79dea5f0d2adcf364
              • Opcode Fuzzy Hash: 0992dd0ffb32cbaabf84eae43416e7320e7446973297ef7bb3a3810b52933f12
              • Instruction Fuzzy Hash: B181D071608310ABDB10EB24DC82EAEB7E8AF85714F504918F5559B2D3DB71ED44CB92
              Function 00021424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 05336994b49305195f5c995bd4120d1437e5fd69ece442e6b226181754bddfc7
              • Instruction ID: 2d8c2c77c00219f605f5e18a1ad31dc04c1e2b29ff39518a150689035c7a22b2
              • Opcode Fuzzy Hash: 05336994b49305195f5c995bd4120d1437e5fd69ece442e6b226181754bddfc7
              • Instruction Fuzzy Hash: A7717A30900519EFDB14DF98DC48AFFBBB9FF99314F108159F915AA251C734AA51CBA0
              Function 000AB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
              Download Yara Rule
              APIs
              • IsWindow.USER32(01974A48), ref: 000AB3EB
              • IsWindowEnabled.USER32(01974A48), ref: 000AB3F7
              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 000AB4DB
              • SendMessageW.USER32(01974A48,000000B0,?,?), ref: 000AB512
              • IsDlgButtonChecked.USER32(?,?), ref: 000AB54F
              • GetWindowLongW.USER32(01974A48,000000EC), ref: 000AB571
              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 000AB589
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
              • String ID:
              • API String ID: 4072528602-0
              • Opcode ID: 2c23262b0eaeeb2f14fce367e67e0b4e8ef2ffc32dc6af9a459dddeebcba396c
              • Instruction ID: 96b1073f7656bb3deacbe4ccd96953a76de83e1645ff5eecefc8da72751da147
              • Opcode Fuzzy Hash: 2c23262b0eaeeb2f14fce367e67e0b4e8ef2ffc32dc6af9a459dddeebcba396c
              • Instruction Fuzzy Hash: 43718B34604604EFEB609FA5C894FFA7BF9EF0B300F144459EA85A72A3C736A950DB50
              Function 0009F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0009F448
              • _memset.LIBCMT ref: 0009F511
              • ShellExecuteExW.SHELL32(?), ref: 0009F556
                • Part of subcall function 00029837: __itow.LIBCMT ref: 00029862
                • Part of subcall function 00029837: __swprintf.LIBCMT ref: 000298AC
                • Part of subcall function 0003FC86: _wcscpy.LIBCMT ref: 0003FCA9
              • GetProcessId.KERNEL32(00000000), ref: 0009F5CD
              • CloseHandle.KERNEL32(00000000), ref: 0009F5FC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
              • String ID: @
              • API String ID: 3522835683-2766056989
              • Opcode ID: 5fe0adb97253bced023339294e0715bf9953a1c34a3e89e87590bbcdccf4bd52
              • Instruction ID: 060f7f30c3f1f895d1a7c2cfe38b708899d59a3abdc1e7a88a93a6c1ef3213ff
              • Opcode Fuzzy Hash: 5fe0adb97253bced023339294e0715bf9953a1c34a3e89e87590bbcdccf4bd52
              • Instruction Fuzzy Hash: D261A075A0062ADFCF14DFA4D8859AEBBF5FF49310F148069E859AB352CB30AD41CB94
              Function 00080F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(?), ref: 00080F8C
              • GetKeyboardState.USER32(?), ref: 00080FA1
              • SetKeyboardState.USER32(?), ref: 00081002
              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00081030
              • PostMessageW.USER32(?,00000101,00000011,?), ref: 0008104F
              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00081095
              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 000810B8
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: fbb03ba71472f444ce31a486ff4325635c2b2385d2774868967fc2c75035740d
              • Instruction ID: 6275c13fe0f5027f664fc4bd8fdcd03f0e0efdcbe49c7fe5febb2e9e2f08b6e8
              • Opcode Fuzzy Hash: fbb03ba71472f444ce31a486ff4325635c2b2385d2774868967fc2c75035740d
              • Instruction Fuzzy Hash: 5D51C3705046D539FB7662348C05BFABEE97F06304F088589E2D8858D3C2D9ACDADB51
              Function 00080D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(00000000), ref: 00080DA5
              • GetKeyboardState.USER32(?), ref: 00080DBA
              • SetKeyboardState.USER32(?), ref: 00080E1B
              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00080E47
              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00080E64
              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00080EA8
              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00080EC9
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: 273162ca3bb3da2b8212c5dc1a72b12f02673b132e386e0d01fcc2e11811d75d
              • Instruction ID: e32986d5effad549a0aa5fd68798417991e0986487ba3059d82d69205ea05051
              • Opcode Fuzzy Hash: 273162ca3bb3da2b8212c5dc1a72b12f02673b132e386e0d01fcc2e11811d75d
              • Instruction Fuzzy Hash: F351E4A06047D63DFBB2A7748C45BBA7EE97F06300F088889E1D48A8C3C395AC9DD750
              Function 000855FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _wcsncpy$LocalTime
              • String ID:
              • API String ID: 2945705084-0
              • Opcode ID: 82ec2e9cf89d8761e52bf60771b4b209817d484614148cb905c9999a0dd331d4
              • Instruction ID: cf6c48629a6cbd323b23044a2fd4ffc3efaee1df379017cd714ee2169b82f4c1
              • Opcode Fuzzy Hash: 82ec2e9cf89d8761e52bf60771b4b209817d484614148cb905c9999a0dd331d4
              • Instruction Fuzzy Hash: 844160A5C1061476CB11FBB48C46ACFB3A8EF05310F509966F558E3222EB34A755C7EA
              Function 00083671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00083697,?), ref: 0008468B
                • Part of subcall function 0008466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00083697,?), ref: 000846A4
              • lstrcmpiW.KERNEL32(?,?), ref: 000836B7
              • _wcscmp.LIBCMT ref: 000836D3
              • MoveFileW.KERNEL32(?,?), ref: 000836EB
              • _wcscat.LIBCMT ref: 00083733
              • SHFileOperationW.SHELL32(?), ref: 0008379F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
              • String ID: \*.*
              • API String ID: 1377345388-1173974218
              • Opcode ID: 1917bd41478c06093c28c7f354001f88b4c444e1edcd669750cc24c51eac2900
              • Instruction ID: 487ebcf66d4f4b3e51a01f82cf3bde860b4b40c9d96628ed8d3d3526253fcb1c
              • Opcode Fuzzy Hash: 1917bd41478c06093c28c7f354001f88b4c444e1edcd669750cc24c51eac2900
              • Instruction Fuzzy Hash: A141AEB1508345AAC762FF64D441ADFB7E8BF89780F00082EB4CAC7252EA34D689C756
              Function 000A7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000A72AA
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000A7351
              • IsMenu.USER32(?), ref: 000A7369
              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 000A73B1
              • DrawMenuBar.USER32 ref: 000A73C4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Menu$Item$DrawInfoInsert_memset
              • String ID: 0
              • API String ID: 3866635326-4108050209
              • Opcode ID: a61480c3217a500df1cd81276eb0ef4cd4a4cc703ffdf38c2af5ab97aaf00a20
              • Instruction ID: 9bff109897e564592c63a288f73c9f4a5fd4f8c55b65d6fa97a8cbc20b54476f
              • Opcode Fuzzy Hash: a61480c3217a500df1cd81276eb0ef4cd4a4cc703ffdf38c2af5ab97aaf00a20
              • Instruction Fuzzy Hash: 6C412876A04609EFDF20DF90D884AAABBF8FF06314F158429FD49AB250D730AE54DB50
              Function 000A0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
              Download Yara Rule
              APIs
              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 000A0FD4
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000A0FFE
              • FreeLibrary.KERNEL32(00000000), ref: 000A10B5
                • Part of subcall function 000A0FA5: RegCloseKey.ADVAPI32(?), ref: 000A101B
                • Part of subcall function 000A0FA5: FreeLibrary.KERNEL32(?), ref: 000A106D
                • Part of subcall function 000A0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 000A1090
              • RegDeleteKeyW.ADVAPI32(?,?), ref: 000A1058
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: EnumFreeLibrary$CloseDeleteOpen
              • String ID:
              • API String ID: 395352322-0
              • Opcode ID: 1033e5780dbabd63760893ded9d59177842fd1f0712914bc23aa730592567caa
              • Instruction ID: 1fbe1f01a8adf3d62456e8cc92c334127a0d56d7ffceeef20686218e5d5b80cb
              • Opcode Fuzzy Hash: 1033e5780dbabd63760893ded9d59177842fd1f0712914bc23aa730592567caa
              • Instruction Fuzzy Hash: A0310DB1901109BFEB159FD0DC89EFFB7BCEF09350F000169E511E2151EA749E859AA4
              Function 000A62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 000A62EC
              • GetWindowLongW.USER32(01974A48,000000F0), ref: 000A631F
              • GetWindowLongW.USER32(01974A48,000000F0), ref: 000A6354
              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 000A6386
              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 000A63B0
              • GetWindowLongW.USER32(00000000,000000F0), ref: 000A63C1
              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 000A63DB
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: LongWindow$MessageSend
              • String ID:
              • API String ID: 2178440468-0
              • Opcode ID: 0a124366ab977ea840bc0979843755348bf043956fdb2406ff732235d62bb505
              • Instruction ID: 4ed6a85b02ec01da4d0038bba5d80007e6b9d3542e6dbe289e94130845d6c6f9
              • Opcode Fuzzy Hash: 0a124366ab977ea840bc0979843755348bf043956fdb2406ff732235d62bb505
              • Instruction Fuzzy Hash: 09313436640541EFEB20CF98DC84F6937F1FB4A714F1901A4F511AF2B2CB76A9419B50
              Function 0007DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0007DB2E
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0007DB54
              • SysAllocString.OLEAUT32(00000000), ref: 0007DB57
              • SysAllocString.OLEAUT32(?), ref: 0007DB75
              • SysFreeString.OLEAUT32(?), ref: 0007DB7E
              • StringFromGUID2.OLE32(?,?,00000028), ref: 0007DBA3
              • SysAllocString.OLEAUT32(?), ref: 0007DBB1
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
              • String ID:
              • API String ID: 3761583154-0
              • Opcode ID: ee9f386c962858067969ed833c324dea5df5b0ff67cf3fd4ea403e370c98bcc0
              • Instruction ID: f4de0782a57959cc18591ef26c98be937dabebe4da75d8f15a937a430a1522ba
              • Opcode Fuzzy Hash: ee9f386c962858067969ed833c324dea5df5b0ff67cf3fd4ea403e370c98bcc0
              • Instruction Fuzzy Hash: 45217176A00219AFEB10AFB9DC84CBB73ECEF09360B018566F918DB251D7789C418768
              Function 00096173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00097D8B: inet_addr.WSOCK32(00000000), ref: 00097DB6
              • socket.WSOCK32(00000002,00000001,00000006), ref: 000961C6
              • WSAGetLastError.WSOCK32(00000000), ref: 000961D5
              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0009620E
              • connect.WSOCK32(00000000,?,00000010), ref: 00096217
              • WSAGetLastError.WSOCK32 ref: 00096221
              • closesocket.WSOCK32(00000000), ref: 0009624A
              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00096263
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
              • String ID:
              • API String ID: 910771015-0
              • Opcode ID: 83124746765d85591719afc3f079e3bfd05610e23d2e2b2ae350e38eb9ad0951
              • Instruction ID: ed753c059357eede07dd81e51917cdf9008b791da33fc37ea180ba95520a00a5
              • Opcode Fuzzy Hash: 83124746765d85591719afc3f079e3bfd05610e23d2e2b2ae350e38eb9ad0951
              • Instruction Fuzzy Hash: 9731B331600518AFEF10AF64DC85BBE77ACEF45750F044069FD05A7292DB75AC049BA1
              Function 0007F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
              • API String ID: 1038674560-2734436370
              • Opcode ID: 9131b86d3a648ec66f2ee333bc617306cb408b81284cfded0415c5b89a1f763d
              • Instruction ID: 563310585fbc2dbb7bfdb56927253f49c59926ae10359eaf5ff92d23293b2be0
              • Opcode Fuzzy Hash: 9131b86d3a648ec66f2ee333bc617306cb408b81284cfded0415c5b89a1f763d
              • Instruction Fuzzy Hash: BE216BB2A0851366D234B634AC02EFB73D8EF55340F10C039F98A8B092EB699D41D39D
              Function 0007DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0007DC09
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0007DC2F
              • SysAllocString.OLEAUT32(00000000), ref: 0007DC32
              • SysAllocString.OLEAUT32 ref: 0007DC53
              • SysFreeString.OLEAUT32 ref: 0007DC5C
              • StringFromGUID2.OLE32(?,?,00000028), ref: 0007DC76
              • SysAllocString.OLEAUT32(?), ref: 0007DC84
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
              • String ID:
              • API String ID: 3761583154-0
              • Opcode ID: ff940b9e3ccd4e1adc6b139e6513c2f72c036dda1d5a36c11b71d971f1d76cb3
              • Instruction ID: 48cee972806f692647e29eeaf587236843bc1ac5531a9327df1732a346e291c3
              • Opcode Fuzzy Hash: ff940b9e3ccd4e1adc6b139e6513c2f72c036dda1d5a36c11b71d971f1d76cb3
              • Instruction Fuzzy Hash: 32213375604205AFEB10ABE8DC88DBA77ECEF09360B10C126F918CB261D678DC41D768
              Function 000A75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00021D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00021D73
                • Part of subcall function 00021D35: GetStockObject.GDI32(00000011), ref: 00021D87
                • Part of subcall function 00021D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00021D91
              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 000A7632
              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 000A763F
              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 000A764A
              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 000A7659
              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 000A7665
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend$CreateObjectStockWindow
              • String ID: Msctls_Progress32
              • API String ID: 1025951953-3636473452
              • Opcode ID: 9c7cc23c757cf7fba90e763a27f251471cab5e423e869d266611a78e37c4263b
              • Instruction ID: cc422d2bccd1c95d6fae7faa7a815965acb784d9da992680927fe331181c5329
              • Opcode Fuzzy Hash: 9c7cc23c757cf7fba90e763a27f251471cab5e423e869d266611a78e37c4263b
              • Instruction Fuzzy Hash: 4211C8B1110219BFEF158FA4CC85EE77F5DEF09798F014115B708A6051C7729C21DBA4
              Function 00049AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
              Download Yara Rule
              APIs
              • __init_pointers.LIBCMT ref: 00049AE6
                • Part of subcall function 00043187: EncodePointer.KERNEL32(00000000), ref: 0004318A
                • Part of subcall function 00043187: __initp_misc_winsig.LIBCMT ref: 000431A5
                • Part of subcall function 00043187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00049EA0
                • Part of subcall function 00043187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00049EB4
                • Part of subcall function 00043187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00049EC7
                • Part of subcall function 00043187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00049EDA
                • Part of subcall function 00043187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00049EED
                • Part of subcall function 00043187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00049F00
                • Part of subcall function 00043187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00049F13
                • Part of subcall function 00043187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00049F26
                • Part of subcall function 00043187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00049F39
                • Part of subcall function 00043187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00049F4C
                • Part of subcall function 00043187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00049F5F
                • Part of subcall function 00043187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00049F72
                • Part of subcall function 00043187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00049F85
                • Part of subcall function 00043187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00049F98
                • Part of subcall function 00043187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00049FAB
                • Part of subcall function 00043187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00049FBE
              • __mtinitlocks.LIBCMT ref: 00049AEB
              • __mtterm.LIBCMT ref: 00049AF4
                • Part of subcall function 00049B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00049AF9,00047CD0,000DA0B8,00000014), ref: 00049C56
                • Part of subcall function 00049B5C: _free.LIBCMT ref: 00049C5D
                • Part of subcall function 00049B5C: DeleteCriticalSection.KERNEL32(000DEC00,?,?,00049AF9,00047CD0,000DA0B8,00000014), ref: 00049C7F
              • __calloc_crt.LIBCMT ref: 00049B19
              • __initptd.LIBCMT ref: 00049B3B
              • GetCurrentThreadId.KERNEL32 ref: 00049B42
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
              • String ID:
              • API String ID: 3567560977-0
              • Opcode ID: cbd2efdf7a33a6e7eff0cab48e94687eb57d7467b3a9bf6a78a1a69e74f3f5f0
              • Instruction ID: ecebf1da292f74ce1a54f906f7c40279efef5a3dd7770faf151a0511928b1e32
              • Opcode Fuzzy Hash: cbd2efdf7a33a6e7eff0cab48e94687eb57d7467b3a9bf6a78a1a69e74f3f5f0
              • Instruction Fuzzy Hash: B1F06DB250A7126AE674B674BC03ACB26D0DF02734B214A3AF860890D3EF20844141ED
              Function 0004406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00043F85), ref: 00044085
              • GetProcAddress.KERNEL32(00000000), ref: 0004408C
              • EncodePointer.KERNEL32(00000000), ref: 00044097
              • DecodePointer.KERNEL32(00043F85), ref: 000440B2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
              • String ID: RoUninitialize$combase.dll
              • API String ID: 3489934621-2819208100
              • Opcode ID: 599ec97806e7b444b2a834f83ac3cfcf206cec9e054302cb5f6be3a728d42d30
              • Instruction ID: e7616387f8b798f1a44983bb1f34a78c230604444a161835a1fe20d649b9ef54
              • Opcode Fuzzy Hash: 599ec97806e7b444b2a834f83ac3cfcf206cec9e054302cb5f6be3a728d42d30
              • Instruction Fuzzy Hash: E8E092B0681741AFFB60AFA2ED4DB553AA4B715B42F1044A8FA01EA0A0CBBA46009A14
              Function 000864B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _memmove$__itow__swprintf
              • String ID:
              • API String ID: 3253778849-0
              • Opcode ID: 66beddb4712df21730db22f2ff6fbf28c9bcec55da42a37085f7c23089200b61
              • Instruction ID: 800f886b771fdf73876ff6dc05fb4f1fff01933e3c880c5a0a7b2a6a9ba05d6f
              • Opcode Fuzzy Hash: 66beddb4712df21730db22f2ff6fbf28c9bcec55da42a37085f7c23089200b61
              • Instruction Fuzzy Hash: 9061AC709006AA9BCF11FF60DC81EFE3BA5BF05308F054568F9996B293EB35A815CB54
              Function 000A01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00027DE1: _memmove.LIBCMT ref: 00027E22
                • Part of subcall function 000A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0009FDAD,?,?), ref: 000A0E31
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000A02BD
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000A02FD
              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 000A0320
              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 000A0349
              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 000A038C
              • RegCloseKey.ADVAPI32(00000000), ref: 000A0399
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
              • String ID:
              • API String ID: 4046560759-0
              • Opcode ID: 480514fd362ca5532ce2951b8fe0c49d39eecee82a88d4c817cb7c417020db9c
              • Instruction ID: 385d567f4a4f9e04b06998bf06161a319f71f0f423fd6fae11a84a781b01c6d9
              • Opcode Fuzzy Hash: 480514fd362ca5532ce2951b8fe0c49d39eecee82a88d4c817cb7c417020db9c
              • Instruction Fuzzy Hash: 0F514971108305AFDB14EFA4D885EAEBBE9FF86314F04491DF585872A2DB31E905CB52
              Function 000A5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
              Download Yara Rule
              APIs
              • GetMenu.USER32(?), ref: 000A57FB
              • GetMenuItemCount.USER32(00000000), ref: 000A5832
              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 000A585A
              • GetMenuItemID.USER32(?,?), ref: 000A58C9
              • GetSubMenu.USER32(?,?), ref: 000A58D7
              • PostMessageW.USER32(?,00000111,?,00000000), ref: 000A5928
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Menu$Item$CountMessagePostString
              • String ID:
              • API String ID: 650687236-0
              • Opcode ID: 15cad24adf5996738b61154fba12cc2baa63d3e82bc1a970a67cad300527e0b7
              • Instruction ID: 2871cc754546e77ce1d48f4c9ccbe10ca06070d8b0cd93d54f4db351fa0af88a
              • Opcode Fuzzy Hash: 15cad24adf5996738b61154fba12cc2baa63d3e82bc1a970a67cad300527e0b7
              • Instruction Fuzzy Hash: 39516B75E00A16AFCF11EFA4C845AEEB7B4FF49721F144069E841BB352CB34AE418B94
              Function 0007EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 0007EF06
              • VariantClear.OLEAUT32(00000013), ref: 0007EF78
              • VariantClear.OLEAUT32(00000000), ref: 0007EFD3
              • _memmove.LIBCMT ref: 0007EFFD
              • VariantClear.OLEAUT32(?), ref: 0007F04A
              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0007F078
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Variant$Clear$ChangeInitType_memmove
              • String ID:
              • API String ID: 1101466143-0
              • Opcode ID: 08ab6883d432d30434ce2250578cd7b7b68e0a7a76ba2ae275207b05b5e21653
              • Instruction ID: 33a951a2801063739718a8c9762641d296d54db2ccfab0fc0ae0d7f423f99a79
              • Opcode Fuzzy Hash: 08ab6883d432d30434ce2250578cd7b7b68e0a7a76ba2ae275207b05b5e21653
              • Instruction Fuzzy Hash: BE514AB5A0020AEFDB14CF58C884AAAB7F8FF4D314B158569E959DB301E735E911CFA0
              Function 0008220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00082258
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000822A3
              • IsMenu.USER32(00000000), ref: 000822C3
              • CreatePopupMenu.USER32 ref: 000822F7
              • GetMenuItemCount.USER32(000000FF), ref: 00082355
              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00082386
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
              • String ID:
              • API String ID: 3311875123-0
              • Opcode ID: 3b2877ba501a9965886d7e40c2aa4657cba96237442870f8b34e76d18ef85766
              • Instruction ID: be2b7c011f14f80ab18c77d934035ca0a82d5498373ab724edc38be46db26264
              • Opcode Fuzzy Hash: 3b2877ba501a9965886d7e40c2aa4657cba96237442870f8b34e76d18ef85766
              • Instruction Fuzzy Hash: 9A51C070A0070AEFDF21EF68D898BADBBF5FF46314F104129E891A7291D7789A44CB51
              Function 00021765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00022612: GetWindowLongW.USER32(?,000000EB), ref: 00022623
              • BeginPaint.USER32(?,?,?,?,?,?), ref: 0002179A
              • GetWindowRect.USER32(?,?), ref: 000217FE
              • ScreenToClient.USER32(?,?), ref: 0002181B
              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0002182C
              • EndPaint.USER32(?,?), ref: 00021876
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: PaintWindow$BeginClientLongRectScreenViewport
              • String ID:
              • API String ID: 1827037458-0
              • Opcode ID: 29ce087607b4085150aa5732877452b3df4885a92820bd650438c59bbc62316d
              • Instruction ID: ee14657c35df12f07d58bc4a4abd17516894a9447270d5786484f089dccbea66
              • Opcode Fuzzy Hash: 29ce087607b4085150aa5732877452b3df4885a92820bd650438c59bbc62316d
              • Instruction Fuzzy Hash: E441D230104751AFD720DF24DCC4FFA7BE8EB5A725F140629F9A49B2A2CB349845DB61
              Function 000AB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(000E57B0,00000000,01974A48,?,?,000E57B0,?,000AB5A8,?,?), ref: 000AB712
              • EnableWindow.USER32(00000000,00000000), ref: 000AB736
              • ShowWindow.USER32(000E57B0,00000000,01974A48,?,?,000E57B0,?,000AB5A8,?,?), ref: 000AB796
              • ShowWindow.USER32(00000000,00000004,?,000AB5A8,?,?), ref: 000AB7A8
              • EnableWindow.USER32(00000000,00000001), ref: 000AB7CC
              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 000AB7EF
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Window$Show$Enable$MessageSend
              • String ID:
              • API String ID: 642888154-0
              • Opcode ID: 522e26c5d57ffa8569c3485f6354ecb90967ff70c4ce1fb741356f9ab36e7540
              • Instruction ID: db2536f33cf567578e09307662dadfc5a980cc361943e25242334ed47a83e7ae
              • Opcode Fuzzy Hash: 522e26c5d57ffa8569c3485f6354ecb90967ff70c4ce1fb741356f9ab36e7540
              • Instruction Fuzzy Hash: 93418334608641AFDB62CFA4C499BA87BE1FF46310F1841B9F9488F6A3C771AC56DB50
              Function 0009709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(?,?,?,?,?,?,00094E41,?,?,00000000,00000001), ref: 000970AC
                • Part of subcall function 000939A0: GetWindowRect.USER32(?,?), ref: 000939B3
              • GetDesktopWindow.USER32 ref: 000970D6
              • GetWindowRect.USER32(00000000), ref: 000970DD
              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0009710F
                • Part of subcall function 00085244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 000852BC
              • GetCursorPos.USER32(?), ref: 0009713B
              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00097199
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
              • String ID:
              • API String ID: 4137160315-0
              • Opcode ID: 7bf15df48d3486a01b5cbb8cd10eed533a3dd2650e328e81cb9c9b6b07feddfb
              • Instruction ID: 53aa4c03bbe4e7368ec8e47f0783a40f4845bf62484b2779b5d9176c9e3f72ab
              • Opcode Fuzzy Hash: 7bf15df48d3486a01b5cbb8cd10eed533a3dd2650e328e81cb9c9b6b07feddfb
              • Instruction Fuzzy Hash: B9310432508706ABDB20DF54CC49F9BB7E9FF89314F000919F58997192CB74EA08CB92
              Function 00078879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000780A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000780C0
                • Part of subcall function 000780A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000780CA
                • Part of subcall function 000780A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000780D9
                • Part of subcall function 000780A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000780E0
                • Part of subcall function 000780A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000780F6
              • GetLengthSid.ADVAPI32(?,00000000,0007842F), ref: 000788CA
              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 000788D6
              • HeapAlloc.KERNEL32(00000000), ref: 000788DD
              • CopySid.ADVAPI32(00000000,00000000,?), ref: 000788F6
              • GetProcessHeap.KERNEL32(00000000,00000000,0007842F), ref: 0007890A
              • HeapFree.KERNEL32(00000000), ref: 00078911
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
              • String ID:
              • API String ID: 3008561057-0
              • Opcode ID: ac8710aed18eb3da9abc19da6a7825f030e4a5c2c65f361a2819c98cb1e09699
              • Instruction ID: 87ec56564f96eaba04fcfbc681648073ab34d86c9245172a38010f067cc52d12
              • Opcode Fuzzy Hash: ac8710aed18eb3da9abc19da6a7825f030e4a5c2c65f361a2819c98cb1e09699
              • Instruction Fuzzy Hash: A311B171A4160AFFEB509FA4DC0DFBE7BA8EB45311F14C028E98997110CB3A9D00DB65
              Function 000785B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 000785E2
              • OpenProcessToken.ADVAPI32(00000000), ref: 000785E9
              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 000785F8
              • CloseHandle.KERNEL32(00000004), ref: 00078603
              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00078632
              • DestroyEnvironmentBlock.USERENV(00000000), ref: 00078646
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
              • String ID:
              • API String ID: 1413079979-0
              • Opcode ID: 87a58d2219f29ab9ff872487b8c87463e0500987c418fa4a1c3120fcdbabdbdf
              • Instruction ID: 952c5aeb9a5cb55bce703648018c4892ce4ba9b33be514b8d79c240737a6466d
              • Opcode Fuzzy Hash: 87a58d2219f29ab9ff872487b8c87463e0500987c418fa4a1c3120fcdbabdbdf
              • Instruction Fuzzy Hash: 29115C7254024EABEF018FA4DD49FEE7BA9EF09304F048064FE04A2160C7798E60DB60
              Function 0007B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(00000000), ref: 0007B7B5
              • GetDeviceCaps.GDI32(00000000,00000058), ref: 0007B7C6
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0007B7CD
              • ReleaseDC.USER32(00000000,00000000), ref: 0007B7D5
              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0007B7EC
              • MulDiv.KERNEL32(000009EC,?,?), ref: 0007B7FE
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CapsDevice$Release
              • String ID:
              • API String ID: 1035833867-0
              • Opcode ID: ba2bee1c1272609b8def7d070ef5978f6917c457e489bfb1e974a225ba2b27e0
              • Instruction ID: a54ece0ceb7f0a2962a0d7f1b1dc4da44b814d3234cec1b6003c29a6e8acf002
              • Opcode Fuzzy Hash: ba2bee1c1272609b8def7d070ef5978f6917c457e489bfb1e974a225ba2b27e0
              • Instruction Fuzzy Hash: 9A018475E00609BBEB109BE69C45B6EBFB8EB49351F008075FA08A7291D6749C00CF90
              Function 00040162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
              Download Yara Rule
              APIs
              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00040193
              • MapVirtualKeyW.USER32(00000010,00000000), ref: 0004019B
              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 000401A6
              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 000401B1
              • MapVirtualKeyW.USER32(00000011,00000000), ref: 000401B9
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 000401C1
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Virtual
              • String ID:
              • API String ID: 4278518827-0
              • Opcode ID: a3dd68cb347b08e3eecc882c7db1fbf60681390a3c537b6c272eb1412aaa4d51
              • Instruction ID: 8b3120cef0d595622393c5a407dbba301d618176fb8a84b00c962eafbe39f4ba
              • Opcode Fuzzy Hash: a3dd68cb347b08e3eecc882c7db1fbf60681390a3c537b6c272eb1412aaa4d51
              • Instruction Fuzzy Hash: 26016CB0901B5A7DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5
              Function 000853E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 000853F9
              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0008540F
              • GetWindowThreadProcessId.USER32(?,?), ref: 0008541E
              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0008542D
              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00085437
              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0008543E
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
              • String ID:
              • API String ID: 839392675-0
              • Opcode ID: ac5f52cd29119e5f1f42dc6cf7b965761aec7786c612585cf8a05fa085f5cf44
              • Instruction ID: 1dd2f14ca61d0db24dd2675e59e28a8a3126db21292add94a295dfe8e2e76933
              • Opcode Fuzzy Hash: ac5f52cd29119e5f1f42dc6cf7b965761aec7786c612585cf8a05fa085f5cf44
              • Instruction Fuzzy Hash: BCF01D32241959BBE7215BE2DC0DEBB7A7CEBC7B15F000169FA04D105196A91A0186B5
              Function 00087230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,?), ref: 00087243
              • EnterCriticalSection.KERNEL32(?,?,00030EE4,?,?), ref: 00087254
              • TerminateThread.KERNEL32(00000000,000001F6,?,00030EE4,?,?), ref: 00087261
              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00030EE4,?,?), ref: 0008726E
                • Part of subcall function 00086C35: CloseHandle.KERNEL32(00000000,?,0008727B,?,00030EE4,?,?), ref: 00086C3F
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00087281
              • LeaveCriticalSection.KERNEL32(?,?,00030EE4,?,?), ref: 00087288
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
              • String ID:
              • API String ID: 3495660284-0
              • Opcode ID: 3361136b0b8984b37d718b4eb995742bc6095102d80ce8c96a60db01973490a0
              • Instruction ID: 4145441ffa3eb3126cb7a178af19dbae3ae851949107653fc58be2e51cf8cefa
              • Opcode Fuzzy Hash: 3361136b0b8984b37d718b4eb995742bc6095102d80ce8c96a60db01973490a0
              • Instruction Fuzzy Hash: 23F05E36540A13EBE7A22BA4ED4CAFA7769FF46702B100531F543910A4DB7A5801CB50
              Function 00078992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
              Download Yara Rule
              APIs
              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0007899D
              • UnloadUserProfile.USERENV(?,?), ref: 000789A9
              • CloseHandle.KERNEL32(?), ref: 000789B2
              • CloseHandle.KERNEL32(?), ref: 000789BA
              • GetProcessHeap.KERNEL32(00000000,?), ref: 000789C3
              • HeapFree.KERNEL32(00000000), ref: 000789CA
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
              • String ID:
              • API String ID: 146765662-0
              • Opcode ID: 7813bd57702af6500194af6e85f693904436c2f7b6635021c663f5c3917fab50
              • Instruction ID: 9bce13c2dfee74042a0bc12fb3025c666e75b57f81c858b2de37678767bbda8f
              • Opcode Fuzzy Hash: 7813bd57702af6500194af6e85f693904436c2f7b6635021c663f5c3917fab50
              • Instruction Fuzzy Hash: 98E05276104906FFEB012FE5EC0C96ABB69FB8A762B508631F219C1470CB3A9461DB50
              Function 000985ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 00098613
              • CharUpperBuffW.USER32(?,?), ref: 00098722
              • VariantClear.OLEAUT32(?), ref: 0009889A
                • Part of subcall function 00087562: VariantInit.OLEAUT32(00000000), ref: 000875A2
                • Part of subcall function 00087562: VariantCopy.OLEAUT32(00000000,?), ref: 000875AB
                • Part of subcall function 00087562: VariantClear.OLEAUT32(00000000), ref: 000875B7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Variant$ClearInit$BuffCharCopyUpper
              • String ID: AUTOIT.ERROR$Incorrect Parameter format
              • API String ID: 4237274167-1221869570
              • Opcode ID: f48a326367e2484b45c99d5cb752f5d2f6215b35d8d13fc9f038ca501dfd6143
              • Instruction ID: ef23781741528de16e141877cc6e0f1c2e1931381ae839dda698e383e3f83b03
              • Opcode Fuzzy Hash: f48a326367e2484b45c99d5cb752f5d2f6215b35d8d13fc9f038ca501dfd6143
              • Instruction Fuzzy Hash: CA917F716083019FCB10DF64C48499BB7E4EF8A714F14896EF89A9B362DB31E945CB52
              Function 00082A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0003FC86: _wcscpy.LIBCMT ref: 0003FCA9
              • _memset.LIBCMT ref: 00082B87
              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00082BB6
              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00082C69
              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00082C97
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ItemMenu$Info$Default_memset_wcscpy
              • String ID: 0
              • API String ID: 4152858687-4108050209
              • Opcode ID: 9b2df942cb7ba268198287c4d4e96b867299918bf9b03033bd1409be3cd2c67b
              • Instruction ID: eceaa1e9cfe1aabd7da663c9abd3af4cba8297ab0705beea9580f435e3e953aa
              • Opcode Fuzzy Hash: 9b2df942cb7ba268198287c4d4e96b867299918bf9b03033bd1409be3cd2c67b
              • Instruction Fuzzy Hash: 0951CBB16093019ED7A5EE28D845ABFB7E8FF89310F040A2DF8D5E6291DB74CC048792
              Function 0007D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
              Download Yara Rule
              APIs
              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0007D5D4
              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0007D60A
              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0007D61B
              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0007D69D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ErrorMode$AddressCreateInstanceProc
              • String ID: DllGetClassObject
              • API String ID: 753597075-1075368562
              • Opcode ID: e19c3dd14c439424925803bbf66ce1ee3808f11ea12d19cb61dada19116165cb
              • Instruction ID: abe641ad3fc41349b9ca6dc1aa06c1cf56917acc27122612f3f66288ffc6f4cd
              • Opcode Fuzzy Hash: e19c3dd14c439424925803bbf66ce1ee3808f11ea12d19cb61dada19116165cb
              • Instruction Fuzzy Hash: 84418FB1A00205EFDB15DF54C884A9A7BB9EF44310F15C1AEED0D9F206D7B9D940CBA4
              Function 00082753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000827C0
              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 000827DC
              • DeleteMenu.USER32(?,00000007,00000000), ref: 00082822
              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,000E5890,00000000), ref: 0008286B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Menu$Delete$InfoItem_memset
              • String ID: 0
              • API String ID: 1173514356-4108050209
              • Opcode ID: acb8fdddb7055a547abc8d827245e93334d52d85eafc87d57912764f2a3c537c
              • Instruction ID: 4e69830131555922016aed6c55939c41063725c6b40133b75fba501094221655
              • Opcode Fuzzy Hash: acb8fdddb7055a547abc8d827245e93334d52d85eafc87d57912764f2a3c537c
              • Instruction Fuzzy Hash: C9418E70605341EFDB24EF24C844B6ABBE8FF85324F14492EF9A597292DB30A905CB52
              Function 0009D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0009D7C5
                • Part of subcall function 0002784B: _memmove.LIBCMT ref: 00027899
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: BuffCharLower_memmove
              • String ID: cdecl$none$stdcall$winapi
              • API String ID: 3425801089-567219261
              • Opcode ID: 1388fa4558b26ad392a376b0076e5fd5d9a29935f92fe8cd8af9c7c8b7858f55
              • Instruction ID: e9080cf8766f9a68af6fbc5db21b850cf21024e6383d9823cc56abdc86109fe0
              • Opcode Fuzzy Hash: 1388fa4558b26ad392a376b0076e5fd5d9a29935f92fe8cd8af9c7c8b7858f55
              • Instruction Fuzzy Hash: D3318D7194461AABCF00EF54CC519FEB3B5FF05320B10862AE869A77D2DB71A905CB90
              Function 00078E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00027DE1: _memmove.LIBCMT ref: 00027E22
                • Part of subcall function 0007AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0007AABC
              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00078F14
              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00078F27
              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00078F57
                • Part of subcall function 00027BCC: _memmove.LIBCMT ref: 00027C06
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend$_memmove$ClassName
              • String ID: ComboBox$ListBox
              • API String ID: 365058703-1403004172
              • Opcode ID: fd537540212d6dedd058143e13f3342db3030761fcd1952e7682f3bd7c5da4f5
              • Instruction ID: de1b749e2c1bc05896cf10206044f748d25ddb99c32881edbd1a11ea4f3f90c2
              • Opcode Fuzzy Hash: fd537540212d6dedd058143e13f3342db3030761fcd1952e7682f3bd7c5da4f5
              • Instruction Fuzzy Hash: 3621F271E40104BEDB14ABB09C49DFFB7A9DF06360B04C12AF429A72E2DF3958099764
              Function 0009182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0009184C
              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00091872
              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000918A2
              • InternetCloseHandle.WININET(00000000), ref: 000918E9
                • Part of subcall function 00092483: GetLastError.KERNEL32(?,?,00091817,00000000,00000000,00000001), ref: 00092498
                • Part of subcall function 00092483: SetEvent.KERNEL32(?,?,00091817,00000000,00000000,00000001), ref: 000924AD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
              • String ID:
              • API String ID: 3113390036-3916222277
              • Opcode ID: d5c42c6395359531146e71c8d921b510e9a5572ef103ec01a062e591f93308e6
              • Instruction ID: cd14aa7b770580a96af921f05f365dc61300501c3ea1424b929fa24c636e1da7
              • Opcode Fuzzy Hash: d5c42c6395359531146e71c8d921b510e9a5572ef103ec01a062e591f93308e6
              • Instruction Fuzzy Hash: 4321BEB5604209BFEB119BA0DC85EFF77EDEB49744F10412AF805A6280EA648D04B7A0
              Function 000A63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00021D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00021D73
                • Part of subcall function 00021D35: GetStockObject.GDI32(00000011), ref: 00021D87
                • Part of subcall function 00021D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00021D91
              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 000A6461
              • LoadLibraryW.KERNEL32(?), ref: 000A6468
              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 000A647D
              • DestroyWindow.USER32(?), ref: 000A6485
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
              • String ID: SysAnimate32
              • API String ID: 4146253029-1011021900
              • Opcode ID: d5675b93e7bb76b3632ee04013b2b361c11783e9cf7da1161a7580f3cf4c752d
              • Instruction ID: e6cbdaabdafee42433e133b0c84981ed3623d846c7226e3fd21a0fa24f82143a
              • Opcode Fuzzy Hash: d5675b93e7bb76b3632ee04013b2b361c11783e9cf7da1161a7580f3cf4c752d
              • Instruction Fuzzy Hash: 4D21BB72200205ABEF104FE4DC80EBB37FDEB5A368F184629FA1097090C7369C41A760
              Function 00086D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(0000000C), ref: 00086DBC
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00086DEF
              • GetStdHandle.KERNEL32(0000000C), ref: 00086E01
              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00086E3B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: 52cca21dfbc3693f8d0478200ac716de3ebe4f6cb66d878245d84d2168d8de59
              • Instruction ID: f4f986f047031842eae4ada80e51dc534fd6bf5f669f680bb8db2d11a2c5d3f5
              • Opcode Fuzzy Hash: 52cca21dfbc3693f8d0478200ac716de3ebe4f6cb66d878245d84d2168d8de59
              • Instruction Fuzzy Hash: 73218174A0030AABDB20AF69DC04BAA77E8FF45720F214619FDE1D72D0DB729950CB50
              Function 00086E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(000000F6), ref: 00086E89
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00086EBB
              • GetStdHandle.KERNEL32(000000F6), ref: 00086ECC
              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00086F06
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: 50c673020e21fc721b0b2606e8861ffa6a8716f67bbc7b0ad68c1b70a9a63d53
              • Instruction ID: c933aa16e5a2f6fd09176b2de9f9fd9946c7cbb6783df91fe4b959a74c4781fe
              • Opcode Fuzzy Hash: 50c673020e21fc721b0b2606e8861ffa6a8716f67bbc7b0ad68c1b70a9a63d53
              • Instruction Fuzzy Hash: 2C2183796003069BDB30AF69DC04AAA77E8FF55720F214A19FDE1D72D0DB72A851CB60
              Function 0008AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 0008AC54
              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0008ACA8
              • __swprintf.LIBCMT ref: 0008ACC1
              • SetErrorMode.KERNEL32(00000000,00000001,00000000,000AF910), ref: 0008ACFF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ErrorMode$InformationVolume__swprintf
              • String ID: %lu
              • API String ID: 3164766367-685833217
              • Opcode ID: 7559134ff3227ba441995f26486f91890e421db3e073d2f80aa7c78e07d98d96
              • Instruction ID: 0f477f0658c4b79bcc1ecd7054ae0582f97f4e10ffb74282d0f0dbc669a5f088
              • Opcode Fuzzy Hash: 7559134ff3227ba441995f26486f91890e421db3e073d2f80aa7c78e07d98d96
              • Instruction Fuzzy Hash: 8E214171A00209AFDB10EFA5D945EEE7BB8FF49714B004069F9099B252DB71EA41CB61
              Function 00081AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 00081B19
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: APPEND$EXISTS$KEYS$REMOVE
              • API String ID: 3964851224-769500911
              • Opcode ID: 0dcfc83b6d834fe137906099dceb0168992b43a3eb0b9ea09a685b03e2abab37
              • Instruction ID: 0f7eafb6905cafcf19aaa704861d86411cbf0d0cf3cae02a0a1c94a6159ba23f
              • Opcode Fuzzy Hash: 0dcfc83b6d834fe137906099dceb0168992b43a3eb0b9ea09a685b03e2abab37
              • Instruction Fuzzy Hash: 3D1180B09402199FCF40EFA4E8518FEB7B8FF26304F1084A9D858A7392EB325D06CB54
              Function 0009EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
              Download Yara Rule
              APIs
              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0009EC07
              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0009EC37
              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0009ED6A
              • CloseHandle.KERNEL32(?), ref: 0009EDEB
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Process$CloseCountersHandleInfoMemoryOpen
              • String ID:
              • API String ID: 2364364464-0
              • Opcode ID: 1d61a05fe6e28d8dbc5b1f9bfaba11dd9a87a7e25dfde9eeeb756e95e94166ff
              • Instruction ID: 7902dd8618ba2678b1f970d9300962845549c69c19ef97224a6a95afb9b717b4
              • Opcode Fuzzy Hash: 1d61a05fe6e28d8dbc5b1f9bfaba11dd9a87a7e25dfde9eeeb756e95e94166ff
              • Instruction Fuzzy Hash: A3818271600710AFDB60EF28D886F6AB7E5AF48710F44881DF999DB2D2DB70AC44CB51
              Function 0004541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
              • String ID:
              • API String ID: 1559183368-0
              • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
              • Instruction ID: fbfc39867ccac45375053d5429d7a8e2f45aa395cd055cf3571860bbcb2af5bc
              • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
              • Instruction Fuzzy Hash: 1651B6B0A00F05DBDB249FA9DC506BE77F2AF41326F248739F8259A2D2D7709D508B48
              Function 000A0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00027DE1: _memmove.LIBCMT ref: 00027E22
                • Part of subcall function 000A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0009FDAD,?,?), ref: 000A0E31
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000A00FD
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000A013C
              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 000A0183
              • RegCloseKey.ADVAPI32(?,?), ref: 000A01AF
              • RegCloseKey.ADVAPI32(00000000), ref: 000A01BC
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
              • String ID:
              • API String ID: 3440857362-0
              • Opcode ID: 97de699e22d93c24a56abcf4d2a2603a34f1ef32eb448d54fecc242bbecdb52a
              • Instruction ID: 32890c1ca6ac7a23cc6900984ebe4ed1dba2c15714907d7141730226597b9d91
              • Opcode Fuzzy Hash: 97de699e22d93c24a56abcf4d2a2603a34f1ef32eb448d54fecc242bbecdb52a
              • Instruction Fuzzy Hash: 6C519E71208205AFD714EF94DC91EAEB7E8FF85304F40492DF595872A2DB31E944CB52
              Function 0009D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00029837: __itow.LIBCMT ref: 00029862
                • Part of subcall function 00029837: __swprintf.LIBCMT ref: 000298AC
              • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0009D927
              • GetProcAddress.KERNEL32(00000000,?), ref: 0009D9AA
              • GetProcAddress.KERNEL32(00000000,00000000), ref: 0009D9C6
              • GetProcAddress.KERNEL32(00000000,?), ref: 0009DA07
              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0009DA21
                • Part of subcall function 00025A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00087896,?,?,00000000), ref: 00025A2C
                • Part of subcall function 00025A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00087896,?,?,00000000,?,?), ref: 00025A50
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
              • String ID:
              • API String ID: 327935632-0
              • Opcode ID: 332c6fc037da5f4bca45286ebc5d6250bb277d61e9444b6953e7a2a31458bca9
              • Instruction ID: df72ca67dc85cc393e0cdae25259af7fa6506eb34985ebd62aad16cd2a03e38d
              • Opcode Fuzzy Hash: 332c6fc037da5f4bca45286ebc5d6250bb277d61e9444b6953e7a2a31458bca9
              • Instruction Fuzzy Hash: EE512635A00619DFCB00EFA8D8849ADB7F5FF19324B0480A6E859AB312DB31ED45CF91
              Function 0008E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
              Download Yara Rule
              APIs
              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0008E61F
              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0008E648
              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0008E687
                • Part of subcall function 00029837: __itow.LIBCMT ref: 00029862
                • Part of subcall function 00029837: __swprintf.LIBCMT ref: 000298AC
              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0008E6AC
              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0008E6B4
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
              • String ID:
              • API String ID: 1389676194-0
              • Opcode ID: 399616e830cd00d26f65a3ac5ca39547573ef8d30a6ba2f9a442d7316fcb8185
              • Instruction ID: b128055b1bf13273398d54a2daef6bb9794b91aeb8a06b1cb90cb27007307793
              • Opcode Fuzzy Hash: 399616e830cd00d26f65a3ac5ca39547573ef8d30a6ba2f9a442d7316fcb8185
              • Instruction Fuzzy Hash: D6512735A00615DFCB01EF64D981AAEBBF5FF09314F1880A9E849AB362DB31ED11DB54
              Function 000AA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 197bbe1803be6e20787745a54e8a1829ee7556a113225832a28504a83e5c2e41
              • Instruction ID: 88024e34078931ec3621327b0c760bdc1bd0c379b72f0e91f57247e846fd08dc
              • Opcode Fuzzy Hash: 197bbe1803be6e20787745a54e8a1829ee7556a113225832a28504a83e5c2e41
              • Instruction Fuzzy Hash: A841B135A04504BFD760DFA8CC88FB9BBE8EB0B310F140665F916A72E1CB34AD41DA51
              Function 00022344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 00022357
              • ScreenToClient.USER32(000E57B0,?), ref: 00022374
              • GetAsyncKeyState.USER32(00000001), ref: 00022399
              • GetAsyncKeyState.USER32(00000002), ref: 000223A7
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: AsyncState$ClientCursorScreen
              • String ID:
              • API String ID: 4210589936-0
              • Opcode ID: 2b3f172f134ce9467c65b35d7078d653525f4378824f731a84f549ef33798f4b
              • Instruction ID: 5215c517c964a54b34ca3a1d0649f3ee681d2865ba5f6bae100e4c2c8197ba21
              • Opcode Fuzzy Hash: 2b3f172f134ce9467c65b35d7078d653525f4378824f731a84f549ef33798f4b
              • Instruction Fuzzy Hash: 57418335504215FFDF25DFA8C844AEEBBB4FB05365F204315F82892190C735AA54DB90
              Function 000763AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000763E7
              • TranslateAcceleratorW.USER32(?,?,?), ref: 00076433
              • TranslateMessage.USER32(?), ref: 0007645C
              • DispatchMessageW.USER32(?), ref: 00076466
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00076475
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Message$PeekTranslate$AcceleratorDispatch
              • String ID:
              • API String ID: 2108273632-0
              • Opcode ID: 37a2ef37531dbdc4858821bc53d5fb4b496a006733d272ae20db746335511043
              • Instruction ID: 53054dd8968aac6f2eb11b0d9a132b952aa3fb9faed2bf7364857e8ac7cad24a
              • Opcode Fuzzy Hash: 37a2ef37531dbdc4858821bc53d5fb4b496a006733d272ae20db746335511043
              • Instruction Fuzzy Hash: 2F312D70D00E42AFEB64CFB0DC84BB67BECAB01705F148569E51AE71A0D73E9445D764
              Function 00078A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 00078A30
              • PostMessageW.USER32(?,00000201,00000001), ref: 00078ADA
              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00078AE2
              • PostMessageW.USER32(?,00000202,00000000), ref: 00078AF0
              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00078AF8
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessagePostSleep$RectWindow
              • String ID:
              • API String ID: 3382505437-0
              • Opcode ID: 18e6c597f77dd0417df08f1a4e28f0cba65b1f924ec6fa1a7d805f8d58199680
              • Instruction ID: 1c9c7b667cade136add0fb5dc971d2de6d3b1ccde72576c154eef22c39a3295b
              • Opcode Fuzzy Hash: 18e6c597f77dd0417df08f1a4e28f0cba65b1f924ec6fa1a7d805f8d58199680
              • Instruction Fuzzy Hash: 4E31C271900219FBEF14CFA8D94CAAE3BB5EB05315F10C22AF929E61D1C7B49914DB91
              Function 0007B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • IsWindowVisible.USER32(?), ref: 0007B204
              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0007B221
              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0007B259
              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0007B27F
              • _wcsstr.LIBCMT ref: 0007B289
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
              • String ID:
              • API String ID: 3902887630-0
              • Opcode ID: a5f81a0afa787caedd0a1909117980d9b10b650b32ac617f4b986b4b0eb6859a
              • Instruction ID: 00c3fbdfcf520a9e6233ae8089f60db5137f25b3bae1384c9499eefc3a0ff8a6
              • Opcode Fuzzy Hash: a5f81a0afa787caedd0a1909117980d9b10b650b32ac617f4b986b4b0eb6859a
              • Instruction Fuzzy Hash: E1210771A052057BEB255B799C09F7F7B9CDF4A750F008139F808DA162EF79DC4192A4
              Function 000AB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00022612: GetWindowLongW.USER32(?,000000EB), ref: 00022623
              • GetWindowLongW.USER32(?,000000F0), ref: 000AB192
              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 000AB1B7
              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 000AB1CF
              • GetSystemMetrics.USER32(00000004), ref: 000AB1F8
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00090E90,00000000), ref: 000AB216
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Window$Long$MetricsSystem
              • String ID:
              • API String ID: 2294984445-0
              • Opcode ID: 3f9f46c8f0d400982d2cba812dbf33cfcca443859eb5d660ddb2dbbf5842c543
              • Instruction ID: 20954b792be2502f362cc4f38d93ea9578b9813c321ca9776b117dbb6d7f4219
              • Opcode Fuzzy Hash: 3f9f46c8f0d400982d2cba812dbf33cfcca443859eb5d660ddb2dbbf5842c543
              • Instruction Fuzzy Hash: 1521B431910651AFDB609FB8DC04B6A37A4FB07721F104B35F932D71E1E73098218B80
              Function 00079307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00079320
                • Part of subcall function 00027BCC: _memmove.LIBCMT ref: 00027C06
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00079352
              • __itow.LIBCMT ref: 0007936A
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00079392
              • __itow.LIBCMT ref: 000793A3
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend$__itow$_memmove
              • String ID:
              • API String ID: 2983881199-0
              • Opcode ID: a71c14b50a556b2e470dcebca253fae1959b525f4a0c87c9b055fb9fba9718d7
              • Instruction ID: 1a92698145028bb8f80c90d75fac27a9464b54f98593ceab1ddfce2611cb2f20
              • Opcode Fuzzy Hash: a71c14b50a556b2e470dcebca253fae1959b525f4a0c87c9b055fb9fba9718d7
              • Instruction Fuzzy Hash: E821F931B01218BBDB119FA49C85EEE7BADEB49710F048029FD0DEB1D1D6B4CE4187A5
              Function 00095A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
              Download Yara Rule
              APIs
              • IsWindow.USER32(00000000), ref: 00095A6E
              • GetForegroundWindow.USER32 ref: 00095A85
              • GetDC.USER32(00000000), ref: 00095AC1
              • GetPixel.GDI32(00000000,?,00000003), ref: 00095ACD
              • ReleaseDC.USER32(00000000,00000003), ref: 00095B08
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Window$ForegroundPixelRelease
              • String ID:
              • API String ID: 4156661090-0
              • Opcode ID: c202d7fd7e43058ea9c9ea2d0377650350bb7b6d0e36f3cf57950a32219c5a6c
              • Instruction ID: e3a81223531db52f973f6eb1d54c55b4742433fb2fc71a4b8963ca31d84b2d38
              • Opcode Fuzzy Hash: c202d7fd7e43058ea9c9ea2d0377650350bb7b6d0e36f3cf57950a32219c5a6c
              • Instruction Fuzzy Hash: 60219D35A00604AFDB14EFA5DD88AAABBF5EF49311F148079F849D7362CA34AC40DB90
              Function 000212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
              Download Yara Rule
              APIs
              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0002134D
              • SelectObject.GDI32(?,00000000), ref: 0002135C
              • BeginPath.GDI32(?), ref: 00021373
              • SelectObject.GDI32(?,00000000), ref: 0002139C
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ObjectSelect$BeginCreatePath
              • String ID:
              • API String ID: 3225163088-0
              • Opcode ID: ae2195aef545bb747d5a2c896f0abdf476fa5542ba09faf35406d1b9db9a4c60
              • Instruction ID: 93ddbd649be225f72a5fb6eeb4b1025ebe229add7cc3d1a37168d1e5ddbfe114
              • Opcode Fuzzy Hash: ae2195aef545bb747d5a2c896f0abdf476fa5542ba09faf35406d1b9db9a4c60
              • Instruction Fuzzy Hash: 5B21B630800654EFEB10CF55ED847AD3BE9FB14716F244626F814BA1B0DBB89991CF90
              Function 0007BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _memcmp
              • String ID:
              • API String ID: 2931989736-0
              • Opcode ID: c63176f4c6bf11eb7be622220f7a2904ab36585bcce7966750509f126a1b9b76
              • Instruction ID: c12fe93914d91c31c845ae914e55dcd1ceece2a46586023ee252ebc1bfd66817
              • Opcode Fuzzy Hash: c63176f4c6bf11eb7be622220f7a2904ab36585bcce7966750509f126a1b9b76
              • Instruction Fuzzy Hash: 3D01B5B2A001097BD2157A119D42FFFBB5CDF50398F04C021FE0D9A243FB54DE1082A8
              Function 00084A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 00084ABA
              • __beginthreadex.LIBCMT ref: 00084AD8
              • MessageBoxW.USER32(?,?,?,?), ref: 00084AED
              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00084B03
              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00084B0A
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
              • String ID:
              • API String ID: 3824534824-0
              • Opcode ID: 36e0140572639bf633e86d5fb24f2db2a7892841a76868974452bd933129a53c
              • Instruction ID: 345b492b6d11a664b1bc27fa5a18fdb134710f587d4b3778b12daae7b85af041
              • Opcode Fuzzy Hash: 36e0140572639bf633e86d5fb24f2db2a7892841a76868974452bd933129a53c
              • Instruction Fuzzy Hash: 1D114872904645BBEB009FA89C44AAB7FACFB46321F144269F914D7250D779C90087A0
              Function 00078202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
              Download Yara Rule
              APIs
              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0007821E
              • GetLastError.KERNEL32(?,00077CE2,?,?,?), ref: 00078228
              • GetProcessHeap.KERNEL32(00000008,?,?,00077CE2,?,?,?), ref: 00078237
              • HeapAlloc.KERNEL32(00000000,?,00077CE2,?,?,?), ref: 0007823E
              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00078255
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
              • String ID:
              • API String ID: 842720411-0
              • Opcode ID: 54ba310b12ee571cf47bee2223fca75ff80c382a363b480abe1f4a301b085582
              • Instruction ID: 4733d9f85b45c7dc2471d48cf36d3269d81cb98f4e7c1d27d81997a38831ac59
              • Opcode Fuzzy Hash: 54ba310b12ee571cf47bee2223fca75ff80c382a363b480abe1f4a301b085582
              • Instruction Fuzzy Hash: B1016D71740605BFEB205FA5DC4CD7B7BACEF8A756B508469F809C2220DA358C01CB60
              Function 0007710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
              Download Yara Rule
              APIs
              • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00077044,80070057,?,?,?,00077455), ref: 00077127
              • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00077044,80070057,?,?), ref: 00077142
              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00077044,80070057,?,?), ref: 00077150
              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00077044,80070057,?), ref: 00077160
              • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00077044,80070057,?,?), ref: 0007716C
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: From$Prog$FreeStringTasklstrcmpi
              • String ID:
              • API String ID: 3897988419-0
              • Opcode ID: 65a774c2f5b73d748ded9521af6d6667e887a544c75149d1aff98699f92ad665
              • Instruction ID: af80a22b0c726b885108b8e73776a5c0c4d56643e20ffde04713012b68e88524
              • Opcode Fuzzy Hash: 65a774c2f5b73d748ded9521af6d6667e887a544c75149d1aff98699f92ad665
              • Instruction Fuzzy Hash: 7A01DF76A00205BBEB104FA8DC44BAA7BECEF45B91F108174FD0CD6220DB39DD008BA0
              Function 00085244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00085260
              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0008526E
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00085276
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00085280
              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 000852BC
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: PerformanceQuery$CounterSleep$Frequency
              • String ID:
              • API String ID: 2833360925-0
              • Opcode ID: 732782ad15e802baeee5077e8caec51dc8393a017bb3633cedc39946c38763bb
              • Instruction ID: e66f36c05d1e07907bafa904bf3ee30d321a067f4386803c02673752acc17cd6
              • Opcode Fuzzy Hash: 732782ad15e802baeee5077e8caec51dc8393a017bb3633cedc39946c38763bb
              • Instruction Fuzzy Hash: C3011731D01A2ADBDF00EFE4EC49AEDBB78FB0E712F400566E981B2140CF3459548BA1
              Function 0007810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00078121
              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0007812B
              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0007813A
              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00078141
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00078157
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: b37aa4adab19be80352b7f9ac069a5bea023869370b5ae33772d04fb05ccdd35
              • Instruction ID: 04d10862721d1bbd80d3cc2956b6bee3a59ce38c0fb246adf507a89107e2e1aa
              • Opcode Fuzzy Hash: b37aa4adab19be80352b7f9ac069a5bea023869370b5ae33772d04fb05ccdd35
              • Instruction Fuzzy Hash: E0F0AF71340305AFEB511FA4EC8CE773BACEF4A755B404035F949C2150DF689901DB60
              Function 0007C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,000003E9), ref: 0007C1F7
              • GetWindowTextW.USER32(00000000,?,00000100), ref: 0007C20E
              • MessageBeep.USER32(00000000), ref: 0007C226
              • KillTimer.USER32(?,0000040A), ref: 0007C242
              • EndDialog.USER32(?,00000001), ref: 0007C25C
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: BeepDialogItemKillMessageTextTimerWindow
              • String ID:
              • API String ID: 3741023627-0
              • Opcode ID: 39c78c1c2a90f826657223341db277bcba12c419526080f1f065b3f2c76baeda
              • Instruction ID: 0770b543dabef2b72665646ff6838abe2356a3aff3ba0a5330ea136bfca12a01
              • Opcode Fuzzy Hash: 39c78c1c2a90f826657223341db277bcba12c419526080f1f065b3f2c76baeda
              • Instruction Fuzzy Hash: 6801A230804705ABFB255BA0ED4EFA677B8BB01B06F00426DA586A14E2DBE869458B94
              Function 000213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
              Download Yara Rule
              APIs
              • EndPath.GDI32(?), ref: 000213BF
              • StrokeAndFillPath.GDI32(?,?,0005B888,00000000,?), ref: 000213DB
              • SelectObject.GDI32(?,00000000), ref: 000213EE
              • DeleteObject.GDI32 ref: 00021401
              • StrokePath.GDI32(?), ref: 0002141C
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Path$ObjectStroke$DeleteFillSelect
              • String ID:
              • API String ID: 2625713937-0
              • Opcode ID: a450bbd1d529531662bf30da04ec8bdc22242c440a34ed39c7b6ac83f9ee5401
              • Instruction ID: 12ac2b80d996f90119f9b1eb191346b4fa87d56bc46762b46a9753f3e78fe579
              • Opcode Fuzzy Hash: a450bbd1d529531662bf30da04ec8bdc22242c440a34ed39c7b6ac83f9ee5401
              • Instruction Fuzzy Hash: 0AF03130000B49EBEB155F56ED8CBA83FE5AB1172BF088624E4696C0F1CB784595DF10
              Function 00032CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00040DB6: std::exception::exception.LIBCMT ref: 00040DEC
                • Part of subcall function 00040DB6: __CxxThrowException@8.LIBCMT ref: 00040E01
                • Part of subcall function 00027DE1: _memmove.LIBCMT ref: 00027E22
                • Part of subcall function 00027A51: _memmove.LIBCMT ref: 00027AAB
              • __swprintf.LIBCMT ref: 00032ECD
              Strings
              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00032D66
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
              • API String ID: 1943609520-557222456
              • Opcode ID: b5c58aa0a64b80ca5f974be2791a7d931450108d5e42344e722782385ad70234
              • Instruction ID: 534ac0a3985aca2c8a7f46b334c04a7b657788dd2b301b2875e84984a38e5b2a
              • Opcode Fuzzy Hash: b5c58aa0a64b80ca5f974be2791a7d931450108d5e42344e722782385ad70234
              • Instruction Fuzzy Hash: F09179711083119FC715EF24D886CAEB7E9EF85710F00492DF9969B2A2EB30ED84CB56
              Function 0008B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00024750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00024743,?,?,000237AE,?), ref: 00024770
              • CoInitialize.OLE32(00000000), ref: 0008B9BB
              • CoCreateInstance.OLE32(000B2D6C,00000000,00000001,000B2BDC,?), ref: 0008B9D4
              • CoUninitialize.OLE32 ref: 0008B9F1
                • Part of subcall function 00029837: __itow.LIBCMT ref: 00029862
                • Part of subcall function 00029837: __swprintf.LIBCMT ref: 000298AC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
              • String ID: .lnk
              • API String ID: 2126378814-24824748
              • Opcode ID: 5a513d16657d5ae84485b9fc41d4185e1f3577c72a1111fac0638b876e657bc9
              • Instruction ID: e4b019107d3b7f22ff53df8212fe23b4a000df0fb6d97d9e25f03c41f8a1b26f
              • Opcode Fuzzy Hash: 5a513d16657d5ae84485b9fc41d4185e1f3577c72a1111fac0638b876e657bc9
              • Instruction Fuzzy Hash: 47A178756043119FCB14EF14C884DAABBE5FF89324F148998F8999B3A2CB31EC45CB91
              Function 0004501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
              Download Yara Rule
              APIs
              • __startOneArgErrorHandling.LIBCMT ref: 000450AD
                • Part of subcall function 000500F0: __87except.LIBCMT ref: 0005012B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ErrorHandling__87except__start
              • String ID: pow
              • API String ID: 2905807303-2276729525
              • Opcode ID: 5f88179c0cdd82df9134e6864fa8ea1b22acc4250afb8d98704167e48375903f
              • Instruction ID: 680055cfa88275d0d13a8b8c3d608144dffc9039566cff7e22b2aabde69f572d
              • Opcode Fuzzy Hash: 5f88179c0cdd82df9134e6864fa8ea1b22acc4250afb8d98704167e48375903f
              • Instruction Fuzzy Hash: 38513CA5908A0197DB617714CD153AF2FD49B40703F208D6DECD5862ABDE388DDC9A8E
              Function 00036192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _memset$_memmove
              • String ID: ERCP
              • API String ID: 2532777613-1384759551
              • Opcode ID: 77c6926fbdbbed4e2ca3fadb0dd6c31b5d881dd8b03fe9ecf5bec60dbef1a1cb
              • Instruction ID: e2e18a7a4764759e5ec7b7533e4e22e6b26d3dfa48cfd9a2561b700786b4b446
              • Opcode Fuzzy Hash: 77c6926fbdbbed4e2ca3fadb0dd6c31b5d881dd8b03fe9ecf5bec60dbef1a1cb
              • Instruction Fuzzy Hash: 5E51C170900705EBDB25CF65C841BABB7F8EF04304F21856EE54ADB281E775EA40CB50
              Function 000797F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000814BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00079296,?,?,00000034,00000800,?,00000034), ref: 000814E6
              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0007983F
                • Part of subcall function 00081487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000792C5,?,?,00000800,?,00001073,00000000,?,?), ref: 000814B1
                • Part of subcall function 000813DE: GetWindowThreadProcessId.USER32(?,?), ref: 00081409
                • Part of subcall function 000813DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0007925A,00000034,?,?,00001004,00000000,00000000), ref: 00081419
                • Part of subcall function 000813DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0007925A,00000034,?,?,00001004,00000000,00000000), ref: 0008142F
              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000798AC
              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000798F9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
              • String ID: @
              • API String ID: 4150878124-2766056989
              • Opcode ID: 52cdc87210843d22ecc8178fcdc0e2026f3720cb752cd187993d1ffbb28f1283
              • Instruction ID: 99897aa9a665b7714bf6bd53d6a6b938d401347ba1988959220a077dac9b81c1
              • Opcode Fuzzy Hash: 52cdc87210843d22ecc8178fcdc0e2026f3720cb752cd187993d1ffbb28f1283
              • Instruction Fuzzy Hash: 41413E76D00218BFDB10EFA4CC81ADEBBB8EF09300F144199FA55B7191DA756E45CBA1
              Function 000A7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
              Download Yara Rule
              APIs
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,000AF910,00000000,?,?,?,?), ref: 000A79DF
              • GetWindowLongW.USER32 ref: 000A79FC
              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 000A7A0C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Window$Long
              • String ID: SysTreeView32
              • API String ID: 847901565-1698111956
              • Opcode ID: c8063f8342d1266f6be4e7e15f34b6f77f2ab0218ba1cd6ee23f082ec412fb68
              • Instruction ID: cf397dd3e9ac284069795e0dfeb444e6dfa8e4e9cec64aaab5514e33838b1cd6
              • Opcode Fuzzy Hash: c8063f8342d1266f6be4e7e15f34b6f77f2ab0218ba1cd6ee23f082ec412fb68
              • Instruction Fuzzy Hash: 2131E131204606AFDB518EB8DC41BEB77A9EB4A324F248725F979A32E1D730ED508B50
              Function 000A73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 000A7461
              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 000A7475
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 000A7499
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend$Window
              • String ID: SysMonthCal32
              • API String ID: 2326795674-1439706946
              • Opcode ID: c655d411011abf13db833f94be8ee263fa577dae3f5bf28b3caca0b49690c130
              • Instruction ID: 7a1d7323fa78c62c4e404cf53f18776ac85d0be09cccde482162cc56d834de00
              • Opcode Fuzzy Hash: c655d411011abf13db833f94be8ee263fa577dae3f5bf28b3caca0b49690c130
              • Instruction Fuzzy Hash: AC21BF32500219ABDF218EA4CC42FEA3BA9EB4D724F114214FE596B190DB75AC518BA0
              Function 000A7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 000A7C4A
              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 000A7C58
              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 000A7C5F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend$DestroyWindow
              • String ID: msctls_updown32
              • API String ID: 4014797782-2298589950
              • Opcode ID: 8c165ab0bcdcd31916e53386ee71d46a1d1174b4cb078a861eea9c8af036b0f0
              • Instruction ID: eb39a05999c812676b2785712a75925efe29831231af9ec722945b302dc5d9b1
              • Opcode Fuzzy Hash: 8c165ab0bcdcd31916e53386ee71d46a1d1174b4cb078a861eea9c8af036b0f0
              • Instruction Fuzzy Hash: F2218EB5604609AFEB10DF64DCC1DB737EDEF5A3A4B144459FA05AB3A1CB31EC118AA0
              Function 000A6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 000A6D3B
              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 000A6D4B
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 000A6D70
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend$MoveWindow
              • String ID: Listbox
              • API String ID: 3315199576-2633736733
              • Opcode ID: f25f688a21bf92b0e99a815c21040bc9de0f1cbed9b085f5a321d05bc4e8235d
              • Instruction ID: 2f5711fac244a95c802878e24f4012a7a6b03c38053014dd9da54637fd882ed6
              • Opcode Fuzzy Hash: f25f688a21bf92b0e99a815c21040bc9de0f1cbed9b085f5a321d05bc4e8235d
              • Instruction Fuzzy Hash: 0721A732610118BFEF518F94DC45FFB37BAEF8A760F058124FA455B190C6729C5187A0
              Function 000A770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 000A7772
              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 000A7787
              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 000A7794
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: msctls_trackbar32
              • API String ID: 3850602802-1010561917
              • Opcode ID: f485bb0ef380f0fd82a0953a514b83211046ed2a853cfff88afe9c00dbe1f5ff
              • Instruction ID: de08009fcfb294d0fd8da64bf27479ddee241c30a559c1ef251bd0de48439075
              • Opcode Fuzzy Hash: f485bb0ef380f0fd82a0953a514b83211046ed2a853cfff88afe9c00dbe1f5ff
              • Instruction Fuzzy Hash: 72112732204208BAEF205FB0CC01FEB37A9EF89B54F014118F645A6090C271E811CB20
              Function 00049B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
              Download Yara Rule
              APIs
              • __lock.LIBCMT ref: 00049B94
                • Part of subcall function 00049C0B: __mtinitlocknum.LIBCMT ref: 00049C1D
                • Part of subcall function 00049C0B: EnterCriticalSection.KERNEL32(00000000,?,00049A7C,0000000D), ref: 00049C36
              • __updatetlocinfoEx_nolock.LIBCMT ref: 00049BA4
                • Part of subcall function 00049100: ___addlocaleref.LIBCMT ref: 0004911C
                • Part of subcall function 00049100: ___removelocaleref.LIBCMT ref: 00049127
                • Part of subcall function 00049100: ___freetlocinfo.LIBCMT ref: 0004913B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
              • String ID: 8$8
              • API String ID: 547918592-3868594399
              • Opcode ID: 21337323f2b6227e04aad554345abf8659660027f6099c2b4b5403b9f68365fd
              • Instruction ID: 41f3a73d89779f6a590d4cd1d97b133d72dd6cee4c7bddc9d6b9be43950f8a14
              • Opcode Fuzzy Hash: 21337323f2b6227e04aad554345abf8659660027f6099c2b4b5403b9f68365fd
              • Instruction Fuzzy Hash: ABE08CB1943700EAEA50BBE4AA03B8F27909B01B31F20417BF0555D1C3CF782840867F
              Function 00024C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00024BD0,?,00024DEF,?,000E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00024C11
              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00024C23
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-3689287502
              • Opcode ID: 603b09ace05d972a0106334110a376802aa530c67a144808a24969c293826a22
              • Instruction ID: 5fe71aee2c3b61c1aa2f351ca1e67734d4f87d6ca2768c3d594f04517f9694f8
              • Opcode Fuzzy Hash: 603b09ace05d972a0106334110a376802aa530c67a144808a24969c293826a22
              • Instruction Fuzzy Hash: 90D01230511B23CFD760AFB5ED58656B6E5EF0A352B118C3AD885D6150E7F4D480C660
              Function 00024C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00024B83,?), ref: 00024C44
              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00024C56
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-1355242751
              • Opcode ID: 70a93d84cc1adb3a202c1b0d7f572fead469235343f9806b1d1085c32c6d9389
              • Instruction ID: 6f9f834411f47d27f006ce0c6da4009fce052e41a83eab29f6a3ffbe02adc1d7
              • Opcode Fuzzy Hash: 70a93d84cc1adb3a202c1b0d7f572fead469235343f9806b1d1085c32c6d9389
              • Instruction Fuzzy Hash: 04D0C230510B23CFD7205FB5E81821672E4AF02341B20883AD592DA160E774D480C620
              Function 000A0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(advapi32.dll,?,000A1039), ref: 000A0DF5
              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000A0E07
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: RegDeleteKeyExW$advapi32.dll
              • API String ID: 2574300362-4033151799
              • Opcode ID: 5bf2f914589e3ccdcc4f28f3190507d4292cda49776fcc45fb3071d8c71746bd
              • Instruction ID: d934f45daa1099a9b724697855d36ff0232de100da37b923056a84948c503146
              • Opcode Fuzzy Hash: 5bf2f914589e3ccdcc4f28f3190507d4292cda49776fcc45fb3071d8c71746bd
              • Instruction Fuzzy Hash: 71D0C730440B27CFE3209FB0D80828272E4AF12382F008C3ED582C6250E6B4E890CB20
              Function 000990E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00098CF4,?,000AF910), ref: 000990EE
              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00099100
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetModuleHandleExW$kernel32.dll
              • API String ID: 2574300362-199464113
              • Opcode ID: 1822099d25f06fcf58e5da8799e50afb122a279f982246b57c849465a72f815f
              • Instruction ID: 3b00e0390c0135b9bd591c6725c38b2dea0b911e31d3c5e30a30a8f9ef5ddb63
              • Opcode Fuzzy Hash: 1822099d25f06fcf58e5da8799e50afb122a279f982246b57c849465a72f815f
              • Instruction Fuzzy Hash: 9CD01234510713CFDB209FB5D85855676E4AF06352B15CC3ED585D6550E774C4C0C760
              Function 00061714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: LocalTime__swprintf
              • String ID: %.3d$WIN_XPe
              • API String ID: 2070861257-2409531811
              • Opcode ID: 69db49983c1f9566d45208a1ad7897abcb41616be0cb7fe1f47cfa5467e61366
              • Instruction ID: 30c76bb0e23576f253866420418c5c374492fd0d228a4b09785d457eb4f52432
              • Opcode Fuzzy Hash: 69db49983c1f9566d45208a1ad7897abcb41616be0cb7fe1f47cfa5467e61366
              • Instruction Fuzzy Hash: 88D05EB180C219FACB209B90DC8CDFD73BDAB09301F180462F506E2080E2369B94EB21
              Function 0007717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ecdc87acb957ea282ef389e238c6f67a10bddce6e45b2b36f382fc3a606c75b4
              • Instruction ID: fd57b71fffd42bec9d684612ec62d63845b4aa115fcacf13a58d6690523d1828
              • Opcode Fuzzy Hash: ecdc87acb957ea282ef389e238c6f67a10bddce6e45b2b36f382fc3a606c75b4
              • Instruction Fuzzy Hash: F3C14974E04216EFCB14CFA4C884AAEBBB5FF48744B148598E80DEB251D734EE81DB94
              Function 0009E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?), ref: 0009E0BE
              • CharLowerBuffW.USER32(?,?), ref: 0009E101
                • Part of subcall function 0009D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0009D7C5
              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0009E301
              • _memmove.LIBCMT ref: 0009E314
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: BuffCharLower$AllocVirtual_memmove
              • String ID:
              • API String ID: 3659485706-0
              • Opcode ID: b767beb8963436993803f9b26aa2a44b82c7939cd12ecf3e3e760f04c9de009b
              • Instruction ID: 740c699713997a084872c0038c054f07219ab581c12d6367e5a4ec3f78df9a3c
              • Opcode Fuzzy Hash: b767beb8963436993803f9b26aa2a44b82c7939cd12ecf3e3e760f04c9de009b
              • Instruction Fuzzy Hash: D0C14671A083519FCB54DF28C480A6ABBE4FF89714F04896EF8999B352D731ED45CB82
              Function 00098093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 000980C3
              • CoUninitialize.OLE32 ref: 000980CE
                • Part of subcall function 0007D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0007D5D4
              • VariantInit.OLEAUT32(?), ref: 000980D9
              • VariantClear.OLEAUT32(?), ref: 000983AA
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
              • String ID:
              • API String ID: 780911581-0
              • Opcode ID: 1993adaeff9938ea4fd803621c57e908ada2f8a8fb9703c65465f2608d3a266f
              • Instruction ID: b629eb602aaa419d5646cdf2eb062b2f4b9ab68616663d188a303325ef3897ca
              • Opcode Fuzzy Hash: 1993adaeff9938ea4fd803621c57e908ada2f8a8fb9703c65465f2608d3a266f
              • Instruction Fuzzy Hash: 6CA18A756047119FCB50DF64C881B6AB7E4BF8A714F08845CF99A9B3A2CB34ED04DB86
              Function 00077530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
              Download Yara Rule
              APIs
              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,000B2C7C,?), ref: 000776EA
              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,000B2C7C,?), ref: 00077702
              • CLSIDFromProgID.OLE32(?,?,00000000,000AFB80,000000FF,?,00000000,00000800,00000000,?,000B2C7C,?), ref: 00077727
              • _memcmp.LIBCMT ref: 00077748
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: FromProg$FreeTask_memcmp
              • String ID:
              • API String ID: 314563124-0
              • Opcode ID: 6d39748456af2a2a0318d379a9525729241fd6816f59d16f3c70ee20c57761d1
              • Instruction ID: 80857824b3ce2ae67946fa496a8eed301344905ef7eba0dac35d5c60db25eb77
              • Opcode Fuzzy Hash: 6d39748456af2a2a0318d379a9525729241fd6816f59d16f3c70ee20c57761d1
              • Instruction Fuzzy Hash: DE812B75E00109EFCB04DFA4C984EEEB7B9FF89355F208558E509AB250DB75AE06CB60
              Function 0007687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Variant$AllocClearCopyInitString
              • String ID:
              • API String ID: 2808897238-0
              • Opcode ID: 65df535d9138601971a2936b3c68a991134d54cf6acdf169675133f9fc10c98b
              • Instruction ID: c29fb11be491d452416f816f6531f004b138592dbe13514d35a85e0626a1ab81
              • Opcode Fuzzy Hash: 65df535d9138601971a2936b3c68a991134d54cf6acdf169675133f9fc10c98b
              • Instruction Fuzzy Hash: 8B51C774E00B01AADB60AF65D89167EB3E5AF45310F20C81FE58FD7292DB39D840CB19
              Function 000A97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(0197E210,?), ref: 000A9863
              • ScreenToClient.USER32(00000002,00000002), ref: 000A9896
              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 000A9903
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Window$ClientMoveRectScreen
              • String ID:
              • API String ID: 3880355969-0
              • Opcode ID: fb7b3005007181ae0b434a2714fba0115cf3b639056bb79fb5e67d4a77b56c28
              • Instruction ID: a16f8856331d8fb3c56573bfb9d888141657ed4f335095a0a928bd13218a93e6
              • Opcode Fuzzy Hash: fb7b3005007181ae0b434a2714fba0115cf3b639056bb79fb5e67d4a77b56c28
              • Instruction Fuzzy Hash: 1B515F34A00609EFDF10CFA8C980AAE7BF5FF46360F148559F955AB2A0DB34AD41CB90
              Function 00079A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00079AD2
              • __itow.LIBCMT ref: 00079B03
                • Part of subcall function 00079D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00079DBE
              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00079B6C
              • __itow.LIBCMT ref: 00079BC3
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend$__itow
              • String ID:
              • API String ID: 3379773720-0
              • Opcode ID: 0e57b70cf648205226c4c25d5dc3fc1d225a203b0d1360381484bd9c4045048d
              • Instruction ID: 7bca956d1cb1b8e93184224bdb0c9e75365b0fbb3d6c10a41fdff001338eefcb
              • Opcode Fuzzy Hash: 0e57b70cf648205226c4c25d5dc3fc1d225a203b0d1360381484bd9c4045048d
              • Instruction Fuzzy Hash: D7419D74A00218ABDF21EF64D846FEE7BB9EF45710F004069F909A7292DB749A44CBA5
              Function 000969AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
              Download Yara Rule
              APIs
              • socket.WSOCK32(00000002,00000002,00000011), ref: 000969D1
              • WSAGetLastError.WSOCK32(00000000), ref: 000969E1
                • Part of subcall function 00029837: __itow.LIBCMT ref: 00029862
                • Part of subcall function 00029837: __swprintf.LIBCMT ref: 000298AC
              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00096A45
              • WSAGetLastError.WSOCK32(00000000), ref: 00096A51
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ErrorLast$__itow__swprintfsocket
              • String ID:
              • API String ID: 2214342067-0
              • Opcode ID: 779b26d606b4b6a86cbf1a7c71d6d6d694538bcd96778c1b1261c7367e538bfe
              • Instruction ID: 93fcaf1c9cde59245adf2956c984af8e28bca0bd8b41d26670d87c23a3be3185
              • Opcode Fuzzy Hash: 779b26d606b4b6a86cbf1a7c71d6d6d694538bcd96778c1b1261c7367e538bfe
              • Instruction Fuzzy Hash: 9E41AE75740210AFEB60AF64DC86FBE77E8AF05B14F44C058FA59AB2C3DA759D008B91
              Function 0009641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
              Download Yara Rule
              APIs
              • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,000AF910), ref: 000964A7
              • _strlen.LIBCMT ref: 000964D9
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _strlen
              • String ID:
              • API String ID: 4218353326-0
              • Opcode ID: 91ee4fabad5f3cc66e2bb93ea94fb6e3c93edeb473ef768af21df48d5207f30f
              • Instruction ID: 8e024129dad1baf7225539136f208f9920c65dc172a292f38a18c809fa931cd3
              • Opcode Fuzzy Hash: 91ee4fabad5f3cc66e2bb93ea94fb6e3c93edeb473ef768af21df48d5207f30f
              • Instruction Fuzzy Hash: B741DF71A00514ABCF14EBA8EC95FFEB7A8AF05310F108165F81A9B293EB31ED04DB54
              Function 0008B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
              Download Yara Rule
              APIs
              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0008B89E
              • GetLastError.KERNEL32(?,00000000), ref: 0008B8C4
              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0008B8E9
              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0008B915
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CreateHardLink$DeleteErrorFileLast
              • String ID:
              • API String ID: 3321077145-0
              • Opcode ID: 743e61343ceb8d29e0b910fb12d5d880dd5637b9131b74e0054f7a9392fa2fc0
              • Instruction ID: 4def26d77c1a7a86fecf8581cf0d8316e9f290fc223529ad69722da0b90d82fc
              • Opcode Fuzzy Hash: 743e61343ceb8d29e0b910fb12d5d880dd5637b9131b74e0054f7a9392fa2fc0
              • Instruction Fuzzy Hash: 2B411839600A21DFCB11EF55D584A9DBBE1BF4A710F198099EC8A9B362CB34FD01CB95
              Function 000A8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000A88DE
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID:
              • API String ID: 634782764-0
              • Opcode ID: 5d60aa7a6572b136123efe1d3879286582f3bbc8df6f8aadd4a3f15276b215db
              • Instruction ID: 3ab42ee9f4dca06c331eb5b6bd96547ab97c2f3046bdce607b0fcf7f855446ec
              • Opcode Fuzzy Hash: 5d60aa7a6572b136123efe1d3879286582f3bbc8df6f8aadd4a3f15276b215db
              • Instruction Fuzzy Hash: BF31D234600109BFEB709AE8CC85BFE77B5EB07310F688512FA51E61A1CE74D9409752
              Function 000AAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
              Download Yara Rule
              APIs
              • ClientToScreen.USER32(?,?), ref: 000AAB60
              • GetWindowRect.USER32(?,?), ref: 000AABD6
              • PtInRect.USER32(?,?,000AC014), ref: 000AABE6
              • MessageBeep.USER32(00000000), ref: 000AAC57
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Rect$BeepClientMessageScreenWindow
              • String ID:
              • API String ID: 1352109105-0
              • Opcode ID: e53813992ae3f88ac8fe821cdebdc85958c57e018bc9c6643938c24ced5585b4
              • Instruction ID: ea2184cf661c148388b770fc25a85c70b3bacfb3a74b78a28476cae86a0d7cbc
              • Opcode Fuzzy Hash: e53813992ae3f88ac8fe821cdebdc85958c57e018bc9c6643938c24ced5585b4
              • Instruction Fuzzy Hash: CD418230700519DFEB21DF98C884BA97BF5FB4B721F1484A9E415AF2A1D731E841CB92
              Function 00080AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00080B27
              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00080B43
              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00080BA9
              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00080BFB
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: 6491b6d43091a765c4b771c7bdf08d9ccefa893360e632e17b2a1fb88e3b5500
              • Instruction ID: 897d141c1320ff0c1f7b454ef6b9cc9a9a41ebbedcb2f0331a454c78c6e08fa7
              • Opcode Fuzzy Hash: 6491b6d43091a765c4b771c7bdf08d9ccefa893360e632e17b2a1fb88e3b5500
              • Instruction Fuzzy Hash: 4E315830E40618AFFFB0AB658C05BFEBBE9BF45328F08826AE5D0521D1C37989489755
              Function 00080C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00080C66
              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00080C82
              • PostMessageW.USER32(00000000,00000101,00000000), ref: 00080CE1
              • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00080D33
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: 648007844425a600df1e6eeecbc3047d8d96ee486d8acd7ce04e297757578b4e
              • Instruction ID: b4face45b8d6768f961757be05625bdb9383b51d44033e1fbe7897b3a2b4e3e6
              • Opcode Fuzzy Hash: 648007844425a600df1e6eeecbc3047d8d96ee486d8acd7ce04e297757578b4e
              • Instruction Fuzzy Hash: 00312630D40718AEFFB0AFA5C8157FEBBA6BB45320F04832AE4C5521D1D37999598792
              Function 000561C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000561FB
              • __isleadbyte_l.LIBCMT ref: 00056229
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00056257
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0005628D
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
              • String ID:
              • API String ID: 3058430110-0
              • Opcode ID: bc95bb96ed839ba3eedd9ef4cda9972d1b21cc298436285dbcfc8daee6096cbf
              • Instruction ID: 0e07b2e3b35ea3c91349efba117c044ec33c5294e47a0a47054e468f72ca4978
              • Opcode Fuzzy Hash: bc95bb96ed839ba3eedd9ef4cda9972d1b21cc298436285dbcfc8daee6096cbf
              • Instruction Fuzzy Hash: 0631CE30604A46AFDF218FA5CC44BBB7BE9FF42352F554128EC64871A1DB32E954DB90
              Function 000A4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32 ref: 000A4F02
                • Part of subcall function 00083641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0008365B
                • Part of subcall function 00083641: GetCurrentThreadId.KERNEL32 ref: 00083662
                • Part of subcall function 00083641: AttachThreadInput.USER32(00000000,?,00085005), ref: 00083669
              • GetCaretPos.USER32(?), ref: 000A4F13
              • ClientToScreen.USER32(00000000,?), ref: 000A4F4E
              • GetForegroundWindow.USER32 ref: 000A4F54
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
              • String ID:
              • API String ID: 2759813231-0
              • Opcode ID: 245c40ee300cff9cba4b9bb9a4e27f00453ee4e3cb4b870913f26db802123197
              • Instruction ID: ca3718cac66bfd4e2dd3f4ac20d0ba97dfe63e7800c034a2ffec64309fc301d7
              • Opcode Fuzzy Hash: 245c40ee300cff9cba4b9bb9a4e27f00453ee4e3cb4b870913f26db802123197
              • Instruction Fuzzy Hash: 49313E71D00118AFDB00EFB5D8859EFB7F9EF89300F10446AE415E7202EA759E058BA0
              Function 00083C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32 ref: 00083C7A
              • Process32FirstW.KERNEL32(00000000,?), ref: 00083C88
              • Process32NextW.KERNEL32(00000000,?), ref: 00083CA8
              • CloseHandle.KERNEL32(00000000), ref: 00083D52
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
              • String ID:
              • API String ID: 420147892-0
              • Opcode ID: 6cd2945aca7a7f3d9a532b5a0c58997fadf954de383ecf41d04699a24993ff90
              • Instruction ID: dbce60baec52dc4066188a517bb66b5e3783d6ccd3f0b357572ff8a19f5d3fd5
              • Opcode Fuzzy Hash: 6cd2945aca7a7f3d9a532b5a0c58997fadf954de383ecf41d04699a24993ff90
              • Instruction Fuzzy Hash: B8318D711083059FD310EF50E885ABFBBE8BF95354F50082DF4C5861A2EB719A49CB92
              Function 000AC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00022612: GetWindowLongW.USER32(?,000000EB), ref: 00022623
              • GetCursorPos.USER32(?), ref: 000AC4D2
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0005B9AB,?,?,?,?,?), ref: 000AC4E7
              • GetCursorPos.USER32(?), ref: 000AC534
              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0005B9AB,?,?,?), ref: 000AC56E
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Cursor$LongMenuPopupProcTrackWindow
              • String ID:
              • API String ID: 2864067406-0
              • Opcode ID: f9bb497b79f01ff423faef5b684e323a50458c45e219d848b0dd5c947a6d9387
              • Instruction ID: 30cdb499f7a654fae2591facf7b75889ce9dab86a16bd4ed91f815de6b12d6a7
              • Opcode Fuzzy Hash: f9bb497b79f01ff423faef5b684e323a50458c45e219d848b0dd5c947a6d9387
              • Instruction Fuzzy Hash: 8E31C535900858EFEB258FA8C858DFA7BF5EF0A710F054055F9059B261C7356D50DB94
              Function 00078656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0007810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00078121
                • Part of subcall function 0007810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0007812B
                • Part of subcall function 0007810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0007813A
                • Part of subcall function 0007810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00078141
                • Part of subcall function 0007810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00078157
              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 000786A3
              • _memcmp.LIBCMT ref: 000786C6
              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 000786FC
              • HeapFree.KERNEL32(00000000), ref: 00078703
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
              • String ID:
              • API String ID: 1592001646-0
              • Opcode ID: 51d22a5c775c1d482e27962aad1f0648b5767424035e3330ac66f35f504492c0
              • Instruction ID: 05deaec266112b92b0fd97960efbc982552ecb0530e822edd0d3856a693bcc32
              • Opcode Fuzzy Hash: 51d22a5c775c1d482e27962aad1f0648b5767424035e3330ac66f35f504492c0
              • Instruction Fuzzy Hash: 09216971E80109EBDB10DFA4D949BEEB7F8EF45304F15C059E548AB241DB38AE05CBA4
              Function 0004098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
              Download Yara Rule
              APIs
              • __setmode.LIBCMT ref: 000409AE
                • Part of subcall function 00025A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00087896,?,?,00000000), ref: 00025A2C
                • Part of subcall function 00025A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00087896,?,?,00000000,?,?), ref: 00025A50
              • _fprintf.LIBCMT ref: 000409E5
              • OutputDebugStringW.KERNEL32(?), ref: 00075DBB
                • Part of subcall function 00044AAA: _flsall.LIBCMT ref: 00044AC3
              • __setmode.LIBCMT ref: 00040A1A
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
              • String ID:
              • API String ID: 521402451-0
              • Opcode ID: 55dc58cf1a02fec356aa3737a2496b26585e77a0cf6c1052691abaca2a56d675
              • Instruction ID: d216e1dc17a80a1cb113931a3939e434a2c302a9c9732f26ca3f9afeaa197256
              • Opcode Fuzzy Hash: 55dc58cf1a02fec356aa3737a2496b26585e77a0cf6c1052691abaca2a56d675
              • Instruction Fuzzy Hash: C61136B19046046FDB14B7B4AC47AFE77A89F42321F644069F204A7183EE745C5287AE
              Function 00091767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
              Download Yara Rule
              APIs
              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000917A3
                • Part of subcall function 0009182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0009184C
                • Part of subcall function 0009182D: InternetCloseHandle.WININET(00000000), ref: 000918E9
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Internet$CloseConnectHandleOpen
              • String ID:
              • API String ID: 1463438336-0
              • Opcode ID: 112308d022f541c350b2716a65b7fc44924a99feaa913f5133ae1bfb71935b75
              • Instruction ID: 16296de6651a1d462f8c5bfa5c8711bef99a12c1859c52df183c0c7acbd93f3b
              • Opcode Fuzzy Hash: 112308d022f541c350b2716a65b7fc44924a99feaa913f5133ae1bfb71935b75
              • Instruction Fuzzy Hash: 44218031304606BFEF229FA09C41BFBBBE9FB49750F10442AF95196651DB719811BBA0
              Function 00083A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNEL32(?,000AFAC0), ref: 00083A64
              • GetLastError.KERNEL32 ref: 00083A73
              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00083A82
              • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,000AFAC0), ref: 00083ADF
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CreateDirectory$AttributesErrorFileLast
              • String ID:
              • API String ID: 2267087916-0
              • Opcode ID: 4c297766492563d14bc82f18b62df8deeb5de83d6f85d7367d6a82476f8fe0b3
              • Instruction ID: 65b7e7a5f4adeb738fe6fcc8e0bc1475068a47a4493e2b3b523c2b29440478dc
              • Opcode Fuzzy Hash: 4c297766492563d14bc82f18b62df8deeb5de83d6f85d7367d6a82476f8fe0b3
              • Instruction Fuzzy Hash: 7A2183745086029F8714EF68D8818AB77E4BF96764F104A2DF4D9C72A2DB31DE46CB43
              Function 0007DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0007F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0007DCD3,?,?,?,0007EAC6,00000000,000000EF,00000119,?,?), ref: 0007F0CB
                • Part of subcall function 0007F0BC: lstrcpyW.KERNEL32(00000000,?,?,0007DCD3,?,?,?,0007EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0007F0F1
                • Part of subcall function 0007F0BC: lstrcmpiW.KERNEL32(00000000,?,0007DCD3,?,?,?,0007EAC6,00000000,000000EF,00000119,?,?), ref: 0007F122
              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0007EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0007DCEC
              • lstrcpyW.KERNEL32(00000000,?,?,0007EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0007DD12
              • lstrcmpiW.KERNEL32(00000002,cdecl,?,0007EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0007DD46
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: lstrcmpilstrcpylstrlen
              • String ID: cdecl
              • API String ID: 4031866154-3896280584
              • Opcode ID: 3638784b4e91672bb1d09b1f81f7810e2d723b5484982ef7d9a1ec1e4ad9ab56
              • Instruction ID: 1e84f5cbd71ccd9b94b13ad06b10a7f67fcfa2c4534dbb1de1bbcca49ade49d4
              • Opcode Fuzzy Hash: 3638784b4e91672bb1d09b1f81f7810e2d723b5484982ef7d9a1ec1e4ad9ab56
              • Instruction Fuzzy Hash: 6411E13A600305EBDB249F74CC459BA37B8FF46350B40802AE90ACB2A1EB759C10C7A8
              Function 000550E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00055101
                • Part of subcall function 0004571C: __FF_MSGBANNER.LIBCMT ref: 00045733
                • Part of subcall function 0004571C: __NMSG_WRITE.LIBCMT ref: 0004573A
                • Part of subcall function 0004571C: RtlAllocateHeap.NTDLL(01960000,00000000,00000001,00000000,?,?,?,00040DD3,?), ref: 0004575F
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: AllocateHeap_free
              • String ID:
              • API String ID: 614378929-0
              • Opcode ID: c0f3d9c7117d0f532c3a525d340c49cdb7136584eb549f60e6583674708f57b6
              • Instruction ID: 64ae5fae1d2dcfa207454601e54ac7c2c653224019d3598f1d30355c2cc1f8e9
              • Opcode Fuzzy Hash: c0f3d9c7117d0f532c3a525d340c49cdb7136584eb549f60e6583674708f57b6
              • Instruction Fuzzy Hash: 4811C4B2900E11AFDB312F70AC597AF3FD89B05363B104939FD449A152DF348944979C
              Function 00096369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00025A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00087896,?,?,00000000), ref: 00025A2C
                • Part of subcall function 00025A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00087896,?,?,00000000,?,?), ref: 00025A50
              • gethostbyname.WSOCK32(?), ref: 00096399
              • WSAGetLastError.WSOCK32(00000000), ref: 000963A4
              • _memmove.LIBCMT ref: 000963D1
              • inet_ntoa.WSOCK32(?), ref: 000963DC
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
              • String ID:
              • API String ID: 1504782959-0
              • Opcode ID: 97a3bdf2f1941e61753b5e150ad40f069b59b05fcc8b945b12deee312fffd387
              • Instruction ID: 9b2fcad6a03c762c2be8ea94c72edb67667ae532578744268534b7d99f7b969c
              • Opcode Fuzzy Hash: 97a3bdf2f1941e61753b5e150ad40f069b59b05fcc8b945b12deee312fffd387
              • Instruction Fuzzy Hash: 74118E32500509AFCF00FBA4ED46CEEB7B8AF05310B044165F506B7162DF35AE04DBA5
              Function 00078B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,000000B0,?,?), ref: 00078B61
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00078B73
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00078B89
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00078BA4
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: 4ab6638ffb3d28b0cb565a02b1ce8cea6e5131574b5a976362fad4948502012b
              • Instruction ID: 52c04a05d1595f102657e8c850e69116e19492a9854c90ce9f0a0f8b4cd95146
              • Opcode Fuzzy Hash: 4ab6638ffb3d28b0cb565a02b1ce8cea6e5131574b5a976362fad4948502012b
              • Instruction Fuzzy Hash: C7110A79D41218FFEB11DB95C885EADBBB4EB48710F208095EA04B7250DB716E11DB94
              Function 00021290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00022612: GetWindowLongW.USER32(?,000000EB), ref: 00022623
              • DefDlgProcW.USER32(?,00000020,?), ref: 000212D8
              • GetClientRect.USER32(?,?), ref: 0005B5FB
              • GetCursorPos.USER32(?), ref: 0005B605
              • ScreenToClient.USER32(?,?), ref: 0005B610
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Client$CursorLongProcRectScreenWindow
              • String ID:
              • API String ID: 4127811313-0
              • Opcode ID: 3c4e4199a9c5b60cee00ae8453a7b9ab83c5c9cbbcb3f701731df2ae12c27ee7
              • Instruction ID: 4816227ec720fa7000fb33f33d0ef47290f9d6d08c4a4220a6ddb40ada4a22f2
              • Opcode Fuzzy Hash: 3c4e4199a9c5b60cee00ae8453a7b9ab83c5c9cbbcb3f701731df2ae12c27ee7
              • Instruction Fuzzy Hash: A5113D35900429EFDB10DFA4E8859FE77B8EB16301F500456F941E7141D734BA658BA5
              Function 00081142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0007FCED,?,00080D40,?,00008000), ref: 0008115F
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0007FCED,?,00080D40,?,00008000), ref: 00081184
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0007FCED,?,00080D40,?,00008000), ref: 0008118E
              • Sleep.KERNEL32(?,?,?,?,?,?,?,0007FCED,?,00080D40,?,00008000), ref: 000811C1
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CounterPerformanceQuerySleep
              • String ID:
              • API String ID: 2875609808-0
              • Opcode ID: 626dccef5a54e3a3dedc5e3f85c926bbeb5da88ef0c81356433c0f1fea819abf
              • Instruction ID: 7cb1e35b3e06401042aaa0bfdda6d825fd0d42ccd109f8ef0e30e956601b9ec5
              • Opcode Fuzzy Hash: 626dccef5a54e3a3dedc5e3f85c926bbeb5da88ef0c81356433c0f1fea819abf
              • Instruction Fuzzy Hash: 56112A31D4091DD7DF00AFE5D848AEEBBB8FF09711F004055EA85B2240CB749552CBE5
              Function 0007D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0007D84D
              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0007D864
              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0007D879
              • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0007D897
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Type$Register$FileLoadModuleNameUser
              • String ID:
              • API String ID: 1352324309-0
              • Opcode ID: e2c9c23cd88f67651e171af3d89d63097e6b51535279c4eb2935bbee59671bfd
              • Instruction ID: da8de28edb62908f2a4081955c1859640ee38e05e10c5205b6f47f12db28ed34
              • Opcode Fuzzy Hash: e2c9c23cd88f67651e171af3d89d63097e6b51535279c4eb2935bbee59671bfd
              • Instruction Fuzzy Hash: 5911A5B5A05705DBF3208F90DC08FA7BBBCEF04700F10C56AA519C6040DBB9E5049BB6
              Function 00056FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
              • String ID:
              • API String ID: 3016257755-0
              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction ID: 49e5f5116af8571affe34edc8bb789376f70d3542898531f28d589c8e182f01c
              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction Fuzzy Hash: E4017B3244814AFBCF225E84EC05CEE3FA6BB18352B488415FE1C59071D236C9B9BB81
              Function 000AB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 000AB2E4
              • ScreenToClient.USER32(?,?), ref: 000AB2FC
              • ScreenToClient.USER32(?,?), ref: 000AB320
              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 000AB33B
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ClientRectScreen$InvalidateWindow
              • String ID:
              • API String ID: 357397906-0
              • Opcode ID: 866191c62215719c204f46333c83fdc8b2ecbecf72af22345ffdc9f41f8953c9
              • Instruction ID: 964bb80f0acce26cf56485454854ba2e3267090f6f9d1e4f1aa1ac1f71c7528c
              • Opcode Fuzzy Hash: 866191c62215719c204f46333c83fdc8b2ecbecf72af22345ffdc9f41f8953c9
              • Instruction Fuzzy Hash: 2A114675D0060AEFDB41DFD9C4849EEBBF5FB09311F104166E914E3220D735AA559F50
              Function 000AB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000AB644
              • _memset.LIBCMT ref: 000AB653
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,000E6F20,000E6F64), ref: 000AB682
              • CloseHandle.KERNEL32 ref: 000AB694
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _memset$CloseCreateHandleProcess
              • String ID:
              • API String ID: 3277943733-0
              • Opcode ID: ec61f45834dad6c4b85f5b1af16536528d8ee51ac20fa73abb02b670307ceb17
              • Instruction ID: 9623237da3897f379302bf6e8987b56d5df94bb8e9952db95e0ce33a3b5ac793
              • Opcode Fuzzy Hash: ec61f45834dad6c4b85f5b1af16536528d8ee51ac20fa73abb02b670307ceb17
              • Instruction Fuzzy Hash: 9EF0DAB26407447EF71027A5BC46FBB7A9CEB19795F404031FA09E91A2D77A5C1087A8
              Function 00086BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
              Download Yara Rule
              APIs
              • EnterCriticalSection.KERNEL32(?), ref: 00086BE6
                • Part of subcall function 000876C4: _memset.LIBCMT ref: 000876F9
              • _memmove.LIBCMT ref: 00086C09
              • _memset.LIBCMT ref: 00086C16
              • LeaveCriticalSection.KERNEL32(?), ref: 00086C26
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CriticalSection_memset$EnterLeave_memmove
              • String ID:
              • API String ID: 48991266-0
              • Opcode ID: a85a0cd7bb8c1e75a8c62e6f7632d240887f90c44a2204f87a82fea453e74aea
              • Instruction ID: 329e1e80cbc4e72e10f76806398100aaa66a2987fe651b6e976449e5048e276f
              • Opcode Fuzzy Hash: a85a0cd7bb8c1e75a8c62e6f7632d240887f90c44a2204f87a82fea453e74aea
              • Instruction Fuzzy Hash: 81F05E7A200100ABCF416F95DC85A8ABB29EF46320F04C061FE08AE227D735E821CBB4
              Function 000ABD1C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000212F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0002134D
                • Part of subcall function 000212F3: SelectObject.GDI32(?,00000000), ref: 0002135C
                • Part of subcall function 000212F3: BeginPath.GDI32(?), ref: 00021373
                • Part of subcall function 000212F3: SelectObject.GDI32(?,00000000), ref: 0002139C
              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 000ABD40
              • LineTo.GDI32(00000000,?,?), ref: 000ABD4D
              • EndPath.GDI32(00000000), ref: 000ABD5D
              • StrokePath.GDI32(00000000), ref: 000ABD6B
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
              • String ID:
              • API String ID: 1539411459-0
              • Opcode ID: 0a0771dbf2855bee4064000bdcf392e50497a7a8c67393a0ba0e5bd27c05b9a8
              • Instruction ID: 7b368b3b5427d66a0fc707a84329d7551a014821b6aeb396b94afcb27d8a40ad
              • Opcode Fuzzy Hash: 0a0771dbf2855bee4064000bdcf392e50497a7a8c67393a0ba0e5bd27c05b9a8
              • Instruction Fuzzy Hash: BFF05E31001A9ABAEB226F94AC09FDE3F99AF07711F044000FA11650E28BB85565DB95
              Function 00022218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000008), ref: 00022231
              • SetTextColor.GDI32(?,000000FF), ref: 0002223B
              • SetBkMode.GDI32(?,00000001), ref: 00022250
              • GetStockObject.GDI32(00000005), ref: 00022258
              • GetWindowDC.USER32(?,00000000), ref: 0005BE83
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0005BE90
              • GetPixel.GDI32(00000000,?,00000000), ref: 0005BEA9
              • GetPixel.GDI32(00000000,00000000,?), ref: 0005BEC2
              • GetPixel.GDI32(00000000,?,?), ref: 0005BEE2
              • ReleaseDC.USER32(?,00000000), ref: 0005BEED
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
              • String ID:
              • API String ID: 1946975507-0
              • Opcode ID: af22768186939208123b7c804fb5820d84489fc3113ff7d534c80dc3cc5af368
              • Instruction ID: 107c06cdb828c8cb7ce98acdbf13a50352f72ee49a9d655bbaa57b6f8a2763a6
              • Opcode Fuzzy Hash: af22768186939208123b7c804fb5820d84489fc3113ff7d534c80dc3cc5af368
              • Instruction Fuzzy Hash: A4E03932504645EAEF615FA4FC0D7E83B50EB06332F148376FA69480E187764984DB22
              Function 00078712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThread.KERNEL32 ref: 0007871B
              • OpenThreadToken.ADVAPI32(00000000,?,?,?,000782E6), ref: 00078722
              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,000782E6), ref: 0007872F
              • OpenProcessToken.ADVAPI32(00000000,?,?,?,000782E6), ref: 00078736
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CurrentOpenProcessThreadToken
              • String ID:
              • API String ID: 3974789173-0
              • Opcode ID: 2b46195a8041ede3d1ad31a2ce1c55121edd0dde5468b8f8af2f2618238a0e55
              • Instruction ID: f870df506894fa166a8e0428a375b984ccb7621b7500f79cad84c9947e0347cb
              • Opcode Fuzzy Hash: 2b46195a8041ede3d1ad31a2ce1c55121edd0dde5468b8f8af2f2618238a0e55
              • Instruction Fuzzy Hash: 6BE08636A552129BE7605FF05D0CFA73BACEF52791F14C828B24AC9040DA3C8441C750
              Function 0007B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
              Download Yara Rule
              APIs
              • OleSetContainedObject.OLE32(?,00000001), ref: 0007B4BE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ContainedObject
              • String ID: AutoIt3GUI$Container
              • API String ID: 3565006973-3941886329
              • Opcode ID: d5b16461c73d5a8affa5e39027618a6e52080cd65569589d2bd5dd06712a9af8
              • Instruction ID: 8bd4127b9f823571bb7beca32b45229a1502f69727620281f6eeb18180a86e25
              • Opcode Fuzzy Hash: d5b16461c73d5a8affa5e39027618a6e52080cd65569589d2bd5dd06712a9af8
              • Instruction Fuzzy Hash: 8B914970A00601AFDB64DF64C884BAAB7F5FF48710F10856EF94ACB291DB75E841CB64
              Function 0008AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0003FC86: _wcscpy.LIBCMT ref: 0003FCA9
                • Part of subcall function 00029837: __itow.LIBCMT ref: 00029862
                • Part of subcall function 00029837: __swprintf.LIBCMT ref: 000298AC
              • __wcsnicmp.LIBCMT ref: 0008B02D
              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0008B0F6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
              • String ID: LPT
              • API String ID: 3222508074-1350329615
              • Opcode ID: d6db063a7990ec1e638dfcc15e47532374a9702539d62d8a4e129e6947b951d2
              • Instruction ID: bea4507f588a4aef10c5e259b143f522289297310f939ecceefd1f33917a6673
              • Opcode Fuzzy Hash: d6db063a7990ec1e638dfcc15e47532374a9702539d62d8a4e129e6947b951d2
              • Instruction Fuzzy Hash: F3618D75A00219AFCB14EF94D895EEEB7F4FB09710F1440A9F956AB291DB30AE40CB94
              Function 00032957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNEL32(00000000), ref: 00032968
              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00032981
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: GlobalMemorySleepStatus
              • String ID: @
              • API String ID: 2783356886-2766056989
              • Opcode ID: 3d6eab26e8b1d5b5372422a2fa4b8c515068d279e234ceeba1d2c2dc28ca2561
              • Instruction ID: ec11d775373221a20abcf9b359de1a7c285ff9ff75848d3b8cafd065c4c11f97
              • Opcode Fuzzy Hash: 3d6eab26e8b1d5b5372422a2fa4b8c515068d279e234ceeba1d2c2dc28ca2561
              • Instruction Fuzzy Hash: EF5147714087549BE720EF10E886BEFBBE8FB85354F42885DF6D8410A2DF318529CB66
              Function 00089734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00024F0B: __fread_nolock.LIBCMT ref: 00024F29
              • _wcscmp.LIBCMT ref: 00089824
              • _wcscmp.LIBCMT ref: 00089837
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: _wcscmp$__fread_nolock
              • String ID: FILE
              • API String ID: 4029003684-3121273764
              • Opcode ID: d17063aba7d2e6963332cf7a7e547ca07659e9d1a268bffefa37eca62607e9cb
              • Instruction ID: bcf6d7a52fe52b5cb149b71daa59caeddc1234b8ea0d48ea6fe004c0ba33ec25
              • Opcode Fuzzy Hash: d17063aba7d2e6963332cf7a7e547ca07659e9d1a268bffefa37eca62607e9cb
              • Instruction Fuzzy Hash: 3941C671A0021ABADF20AEA0DC45FEFBBFDEF85710F000479F904B7182DA719A048B65
              Function 0009258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0009259E
              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 000925D4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CrackInternet_memset
              • String ID: |
              • API String ID: 1413715105-2343686810
              • Opcode ID: 2002e8284fa04845d63468debd1dabffa8ddb68a0a5f23d41fb4742e8d8a8c04
              • Instruction ID: a4322cf32b850db49ffeed2160efab75e9538e78b0e90878db44d5f3a83c6c53
              • Opcode Fuzzy Hash: 2002e8284fa04845d63468debd1dabffa8ddb68a0a5f23d41fb4742e8d8a8c04
              • Instruction Fuzzy Hash: BC311571804119EBCF11EFA1DC85EEEBFB8FF08350F104069F919A6162EB315A56DBA0
              Function 000A7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001132,00000000,?), ref: 000A7B61
              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000A7B76
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: '
              • API String ID: 3850602802-1997036262
              • Opcode ID: 5beb3c99c49362b1bd1d78ebcdcfeb7455b0509bff828a82cb08c5144096caae
              • Instruction ID: dd546d930f3a4dbd12db0c864bf2c32255b95e036043ac8aea14d6f56e72b6e2
              • Opcode Fuzzy Hash: 5beb3c99c49362b1bd1d78ebcdcfeb7455b0509bff828a82cb08c5144096caae
              • Instruction Fuzzy Hash: 05410A74A05209AFDB54CFA4C981BEEBBF5FF49300F10416AE908AB351D771A951CFA0
              Function 000A6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?,?,?), ref: 000A6B17
              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 000A6B53
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Window$DestroyMove
              • String ID: static
              • API String ID: 2139405536-2160076837
              • Opcode ID: a7e9e9b0c9c5f6717ab111086654dc30afe08e8ed3d86c5ff70943dfcdb28d28
              • Instruction ID: 565c4e702f227217aefad4d9b8357e990342c6ed415bb4d1f5940d9534daee77
              • Opcode Fuzzy Hash: a7e9e9b0c9c5f6717ab111086654dc30afe08e8ed3d86c5ff70943dfcdb28d28
              • Instruction Fuzzy Hash: 5E318F71110604AEEB109FA8DC80BFB73B9FF49760F148619F9A5D7191DB31AC91CB60
              Function 000828A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00082911
              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0008294C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: 016eb55a2040b2e1674862467a6c87dd5db257b3a95582ee59f86a7e7e3db5d2
              • Instruction ID: 395a7b40932a7334e5c14653cda0703862b07ff30c7838517b2a985a0d4bebe8
              • Opcode Fuzzy Hash: 016eb55a2040b2e1674862467a6c87dd5db257b3a95582ee59f86a7e7e3db5d2
              • Instruction Fuzzy Hash: A2319171A00305AFEB64EF98CD85BEEBBF9FF45350F140029E9C5A61A1DB709944CB51
              Function 000939E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
              Download Yara Rule
              APIs
              • __snwprintf.LIBCMT ref: 00093A66
                • Part of subcall function 00027DE1: _memmove.LIBCMT ref: 00027E22
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: __snwprintf_memmove
              • String ID: , $$AUTOITCALLVARIABLE%d
              • API String ID: 3506404897-2584243854
              • Opcode ID: cb1f6e8a96541acdf36f95d7813e46434c075f38e4db6b171ac82d402162b9ed
              • Instruction ID: 57708246768303a0cc5bb685ef02eab707e5cb93131f195e1005cd9416be23ee
              • Opcode Fuzzy Hash: cb1f6e8a96541acdf36f95d7813e46434c075f38e4db6b171ac82d402162b9ed
              • Instruction Fuzzy Hash: B5219134600229AFCF10EF64DC82EEE77B9AF44300F504459F559AB282DB34EA45DF66
              Function 000A66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 000A6761
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000A676C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: Combobox
              • API String ID: 3850602802-2096851135
              • Opcode ID: 75e16b71dc37c4d47ecb210a726dd4a002f9c42fa1fd4643e2dc660b52c76599
              • Instruction ID: 871b729bce0a4c85f21d0f187f9844312c92865e3194c1c9ff8d1133d9b27672
              • Opcode Fuzzy Hash: 75e16b71dc37c4d47ecb210a726dd4a002f9c42fa1fd4643e2dc660b52c76599
              • Instruction Fuzzy Hash: 9011E675214208AFEF518FA4CC80EFF37BAEB46368F140125F91497290D6329C5087A0
              Function 000A6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00021D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00021D73
                • Part of subcall function 00021D35: GetStockObject.GDI32(00000011), ref: 00021D87
                • Part of subcall function 00021D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00021D91
              • GetWindowRect.USER32(00000000,?), ref: 000A6C71
              • GetSysColor.USER32(00000012), ref: 000A6C8B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Window$ColorCreateMessageObjectRectSendStock
              • String ID: static
              • API String ID: 1983116058-2160076837
              • Opcode ID: 68726dc346d994dc9d81f6d9c963bafaef6a0811ac63c4493c29d65d552a5a23
              • Instruction ID: 8030935e3f183f47b0dd47254410e4b472ed1cbc426bf1bb9d5984c158c93192
              • Opcode Fuzzy Hash: 68726dc346d994dc9d81f6d9c963bafaef6a0811ac63c4493c29d65d552a5a23
              • Instruction Fuzzy Hash: B7214472A1021AAFDB04DFF8CC45AFA7BB9FB09314F044628F995E2250D635E8609B60
              Function 000A6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
              Download Yara Rule
              APIs
              • GetWindowTextLengthW.USER32(00000000), ref: 000A69A2
              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 000A69B1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: LengthMessageSendTextWindow
              • String ID: edit
              • API String ID: 2978978980-2167791130
              • Opcode ID: d4d53517568f27f6cef93800971e4cf6963aa9037f502ea02ed8f72da944ad86
              • Instruction ID: b7f736a51f5ed53a709cafa2d9b87073a0c95f7d9b3ed88855f107e2a2189ba6
              • Opcode Fuzzy Hash: d4d53517568f27f6cef93800971e4cf6963aa9037f502ea02ed8f72da944ad86
              • Instruction Fuzzy Hash: F9119A71500208ABEB508EB4DC40AFB37BDEB063B8F144728FAA1961E0C736DC519B60
              Function 000829AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00082A22
              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00082A41
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: 055267806e428c6f0b5a867546ea3aa027cce6352c551cc4e950044be74495ad
              • Instruction ID: e8c7ce54e026f78ac947d8d34d7497d17b810c9a57631675a30227356c127593
              • Opcode Fuzzy Hash: 055267806e428c6f0b5a867546ea3aa027cce6352c551cc4e950044be74495ad
              • Instruction Fuzzy Hash: 2911D036901514ABDB78EA98DD84BAE73E8BF45304F044021E895FB290D770AD0AC792
              Function 000921D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0009222C
              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00092255
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Internet$OpenOption
              • String ID: <local>
              • API String ID: 942729171-4266983199
              • Opcode ID: 6809debf6d86c2c9b5686cc0251a744094ec9c22c8eae911a9f692c04306e82d
              • Instruction ID: 064b37885a989170b8c72bdceba9c1a32c986cfe5a41b99e0732a8199c0dd899
              • Opcode Fuzzy Hash: 6809debf6d86c2c9b5686cc0251a744094ec9c22c8eae911a9f692c04306e82d
              • Instruction Fuzzy Hash: 7B11E170541626FADF299F518C88EFBFBACFF16751F10822AFA1586100D3706990E6F0
              Function 00078E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00027DE1: _memmove.LIBCMT ref: 00027E22
                • Part of subcall function 0007AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0007AABC
              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00078E73
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: 1e276cf6bfb9afc8459ce921c5be3567fd79244260a4dcc5140944f0b3d72f58
              • Instruction ID: 57ab85eef9778d2aef193edf6089a3c575dafc09db9f1d21382e1145a0a8ebcc
              • Opcode Fuzzy Hash: 1e276cf6bfb9afc8459ce921c5be3567fd79244260a4dcc5140944f0b3d72f58
              • Instruction Fuzzy Hash: 7D01F571B81229AB8B14EBA0CC45CFE7368AF02320B048619F8295B2D2EF355808D764
              Function 00088D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: __fread_nolock_memmove
              • String ID: EA06
              • API String ID: 1988441806-3962188686
              • Opcode ID: 8cadfd59272e3638950e23a0883b5aaa76f1a76095842d8e1d953317b8ff7437
              • Instruction ID: b03b9cb1caa2197fd85b0053771d2cc7bf82e9220484640c0491f1c8275e9bcf
              • Opcode Fuzzy Hash: 8cadfd59272e3638950e23a0883b5aaa76f1a76095842d8e1d953317b8ff7437
              • Instruction Fuzzy Hash: C901F9B18042187FDB28DBA8CC16EFE7BF8DB11311F0041ABF592D2282E874A6048760
              Function 00078CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00027DE1: _memmove.LIBCMT ref: 00027E22
                • Part of subcall function 0007AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0007AABC
              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00078D6B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: d540a7051a6229ade94a039df22caf2146d4216bc80024e9d9c706bd8897f13a
              • Instruction ID: c9e8ded35282d396495e3ac95448ac9909d5df5db62e03397fd056469bf15c6f
              • Opcode Fuzzy Hash: d540a7051a6229ade94a039df22caf2146d4216bc80024e9d9c706bd8897f13a
              • Instruction Fuzzy Hash: 9F01D471B81119BBDB24EBA0C956EFF77A89F16340F108019B809672D2EE295E08D376
              Function 00078D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00027DE1: _memmove.LIBCMT ref: 00027E22
                • Part of subcall function 0007AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0007AABC
              • SendMessageW.USER32(?,00000182,?,00000000), ref: 00078DEE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: c036bed39b4d5d7c75ad3765f1ab2b8468e1c01d6468d749da7d40157fe42397
              • Instruction ID: 9ce44b6ac286f91935f56c2fc8f61f1c6cf1b8305b4552036e42b3df88498537
              • Opcode Fuzzy Hash: c036bed39b4d5d7c75ad3765f1ab2b8468e1c01d6468d749da7d40157fe42397
              • Instruction Fuzzy Hash: EC01F771F81119B7DB25E6A4C946EFF77AC8F12300F108015B80A672D2DE295E08D375
              Function 0007C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 0007C534
                • Part of subcall function 0007C816: _memmove.LIBCMT ref: 0007C860
                • Part of subcall function 0007C816: VariantInit.OLEAUT32(00000000), ref: 0007C882
                • Part of subcall function 0007C816: VariantCopy.OLEAUT32(00000000,?), ref: 0007C88C
              • VariantClear.OLEAUT32(?), ref: 0007C556
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Variant$Init$ClearCopy_memmove
              • String ID: d}
              • API String ID: 2932060187-1421853160
              • Opcode ID: 76d39d96e2123a81c660aa86c7009e1c64777cac404d14500a7df7f6ed7ad887
              • Instruction ID: 9e028a785d19be6c84c49628993577ba30b059391d2bc89c478ebc48c3bfbf2c
              • Opcode Fuzzy Hash: 76d39d96e2123a81c660aa86c7009e1c64777cac404d14500a7df7f6ed7ad887
              • Instruction Fuzzy Hash: D5110C719007099FD710DFAAD88489AF7F8FF18310B50862FE58AD7612E775AA45CBA0
              Function 00046B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: __calloc_crt
              • String ID:
              • API String ID: 3494438863-1747426322
              • Opcode ID: d25830b5c357797baa3d4b6fc88b15c83778d8ecef795c2346526f8794cd103b
              • Instruction ID: ac7f0c5aa518a75cc21a79d46fe43d3aea543d9a95970b19218cf0a4f7300605
              • Opcode Fuzzy Hash: d25830b5c357797baa3d4b6fc88b15c83778d8ecef795c2346526f8794cd103b
              • Instruction Fuzzy Hash: 12F044B1608B518BF7649F54FC91BA627D5E702B34B50483EE300DF291FB7988C186D9
              Function 00084F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: ClassName_wcscmp
              • String ID: #32770
              • API String ID: 2292705959-463685578
              • Opcode ID: 197874e52203a4bee5c7ab6a4906b45404b93c6f38a8db099a27bde4f691a004
              • Instruction ID: 50657f35ed6c79b54907041c515fea924ff0bc9530afd58bd591168aadc6065a
              • Opcode Fuzzy Hash: 197874e52203a4bee5c7ab6a4906b45404b93c6f38a8db099a27bde4f691a004
              • Instruction Fuzzy Hash: 31E06833600B292BE320AB99AC49FB7F7ECEB61B70F00002BFD00D7041D9609A4187E0
              Function 0005B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0005B314: _memset.LIBCMT ref: 0005B321
                • Part of subcall function 00040940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0005B2F0,?,?,?,0002100A), ref: 00040945
              • IsDebuggerPresent.KERNEL32(?,?,?,0002100A), ref: 0005B2F4
              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0002100A), ref: 0005B303
              Strings
              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0005B2FE
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
              • API String ID: 3158253471-631824599
              • Opcode ID: b1dc433e52d3a8ad976a804d23f57aadb20a8cebe16e3f43b4b6a066d4049ace
              • Instruction ID: 4279bb682965b04e387e394b654693e8e10c238ff59a03e7de90342435058a87
              • Opcode Fuzzy Hash: b1dc433e52d3a8ad976a804d23f57aadb20a8cebe16e3f43b4b6a066d4049ace
              • Instruction Fuzzy Hash: E0E09270200711CFE720DF68E8047477BE8AF00705F008A7CE856EB642E7B8E508CBA1
              Function 00077C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
              Download Yara Rule
              APIs
              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00077C82
                • Part of subcall function 00043358: _doexit.LIBCMT ref: 00043362
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Message_doexit
              • String ID: AutoIt$Error allocating memory.
              • API String ID: 1993061046-4017498283
              • Opcode ID: eed26a868b1f59e55906e1b7d4bc86c7e2849c2f5da1d4f5db74e1810ea68c20
              • Instruction ID: cdbd4aa51195e857b8205718b479dd956aec46b00b3dce60f7f477adf4fa5182
              • Opcode Fuzzy Hash: eed26a868b1f59e55906e1b7d4bc86c7e2849c2f5da1d4f5db74e1810ea68c20
              • Instruction Fuzzy Hash: 91D05B323C831836D11532A57D07FDA79884F05B52F044476FB0C9D5D349E5459041FD
              Function 00061935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
              Download Yara Rule
              APIs
              • GetSystemDirectoryW.KERNEL32(?), ref: 00061775
                • Part of subcall function 0009BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0006195E,?), ref: 0009BFFE
                • Part of subcall function 0009BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0009C010
              • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0006196D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: Library$AddressDirectoryFreeLoadProcSystem
              • String ID: WIN_XPe
              • API String ID: 582185067-3257408948
              • Opcode ID: 654aeae33d2934931fea41624fbaf8b0b924e893a04ba43af2ac59083ce1273c
              • Instruction ID: 8438e6d2126770c5e0960d0e267536c8d2c003a0e68e0b468653256337f2d5bc
              • Opcode Fuzzy Hash: 654aeae33d2934931fea41624fbaf8b0b924e893a04ba43af2ac59083ce1273c
              • Instruction Fuzzy Hash: 5DF0C971804109DFEB65DB91D998AECBBF9AB18301F580095E102A60A1D7755F84DF60
              Function 000A5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
              Download Yara Rule
              APIs
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000A596E
              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 000A5981
                • Part of subcall function 00085244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 000852BC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: FindMessagePostSleepWindow
              • String ID: Shell_TrayWnd
              • API String ID: 529655941-2988720461
              • Opcode ID: 5adbe87c77198992df0b7ee2be754416990c446f35c8ca019d98bb6634811255
              • Instruction ID: 9f5da3c545fd5fa98a0289c0a1a761937b3246fbb904fe8369e8c9f08bddf840
              • Opcode Fuzzy Hash: 5adbe87c77198992df0b7ee2be754416990c446f35c8ca019d98bb6634811255
              • Instruction Fuzzy Hash: 29D0C935784B12B6E664BBB0AC4FFE66A54BB01B51F000825B349AA1D5C9E49800C764
              Function 000A5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
              Download Yara Rule
              APIs
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000A59AE
              • PostMessageW.USER32(00000000), ref: 000A59B5
                • Part of subcall function 00085244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 000852BC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2195519483.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
              • Associated: 00000000.00000002.2191420299.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195595153.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195682774.00000000000DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2195717373.00000000000E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_20000_Pb4xbhZNjF.jbxd
              Similarity
              • API ID: FindMessagePostSleepWindow
              • String ID: Shell_TrayWnd
              • API String ID: 529655941-2988720461
              • Opcode ID: f9b3aaae2e07ba9db680c1d6bcba02e655a2d8163e6c9ac34e958cde3b91449d
              • Instruction ID: 2785d8b5f6f281fef2d49fefba0451ef93b1273ee2ae9e037f993164d181455b
              • Opcode Fuzzy Hash: f9b3aaae2e07ba9db680c1d6bcba02e655a2d8163e6c9ac34e958cde3b91449d
              • Instruction Fuzzy Hash: 24D0C931780B127AF664BBB0AC4FFE66654BB06B51F000825B345AA1D5C9E4A800C768