Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
W1POMvaEjU.exe

Overview

General Information

Sample name:W1POMvaEjU.exe
renamed because original name is a hash value
Original sample name:6d81217c0442e0535162372b709e4d851959859e8dd412b06218386fc06806f4.exe
Analysis ID:1588805
MD5:cd1cb6efd134a033bf59c6b44cd24b52
SHA1:e6a18b32c4b16c5e5be92e403f7c09ab6f587c13
SHA256:6d81217c0442e0535162372b709e4d851959859e8dd412b06218386fc06806f4
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • W1POMvaEjU.exe (PID: 6544 cmdline: "C:\Users\user\Desktop\W1POMvaEjU.exe" MD5: CD1CB6EFD134A033BF59C6B44CD24B52)
    • svchost.exe (PID: 4236 cmdline: "C:\Users\user\Desktop\W1POMvaEjU.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2251633216.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2251943899.0000000003940000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\W1POMvaEjU.exe", CommandLine: "C:\Users\user\Desktop\W1POMvaEjU.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\W1POMvaEjU.exe", ParentImage: C:\Users\user\Desktop\W1POMvaEjU.exe, ParentProcessId: 6544, ParentProcessName: W1POMvaEjU.exe, ProcessCommandLine: "C:\Users\user\Desktop\W1POMvaEjU.exe", ProcessId: 4236, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\W1POMvaEjU.exe", CommandLine: "C:\Users\user\Desktop\W1POMvaEjU.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\W1POMvaEjU.exe", ParentImage: C:\Users\user\Desktop\W1POMvaEjU.exe, ParentProcessId: 6544, ParentProcessName: W1POMvaEjU.exe, ProcessCommandLine: "C:\Users\user\Desktop\W1POMvaEjU.exe", ProcessId: 4236, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: W1POMvaEjU.exeReversingLabs: Detection: 71%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2251633216.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2251943899.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: W1POMvaEjU.exeJoe Sandbox ML: detected
          Source: W1POMvaEjU.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: W1POMvaEjU.exe, 00000000.00000003.2143838014.0000000004120000.00000004.00001000.00020000.00000000.sdmp, W1POMvaEjU.exe, 00000000.00000003.2144753849.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2251979046.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2205355434.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2251979046.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2203560836.0000000003600000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: W1POMvaEjU.exe, 00000000.00000003.2143838014.0000000004120000.00000004.00001000.00020000.00000000.sdmp, W1POMvaEjU.exe, 00000000.00000003.2144753849.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2251979046.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2205355434.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2251979046.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2203560836.0000000003600000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C94696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C94696
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C9C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00C9C9C7
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C9C93C FindFirstFileW,FindClose,0_2_00C9C93C
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C9F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C9F200
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C9F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C9F35D
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C9F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C9F65E
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C93A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C93A2B
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C93D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C93D4E
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C9BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C9BF27
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00CA25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00CA25E2
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00CA425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00CA425A
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00CA4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00CA4458
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00CA425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00CA425A
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C90219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00C90219
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00CBCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00CBCDAC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2251633216.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2251943899.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: This is a third-party compiled AutoIt script.0_2_00C33B4C
          Source: W1POMvaEjU.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: W1POMvaEjU.exe, 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_74dc135b-c
          Source: W1POMvaEjU.exe, 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_fb2eb38f-c
          Source: W1POMvaEjU.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_467870d3-0
          Source: W1POMvaEjU.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_1bb2a0e8-d
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C8C3 NtClose,2_2_0042C8C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72B60 NtClose,LdrInitializeThunk,2_2_03A72B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03A72DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A735C0 NtCreateMutant,LdrInitializeThunk,2_2_03A735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A74340 NtSetContextThread,2_2_03A74340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A74650 NtSuspendThread,2_2_03A74650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BA0 NtEnumerateValueKey,2_2_03A72BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72B80 NtQueryInformationFile,2_2_03A72B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BE0 NtQueryValueKey,2_2_03A72BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BF0 NtAllocateVirtualMemory,2_2_03A72BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AB0 NtWaitForSingleObject,2_2_03A72AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AF0 NtWriteFile,2_2_03A72AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AD0 NtReadFile,2_2_03A72AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FA0 NtQuerySection,2_2_03A72FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FB0 NtResumeThread,2_2_03A72FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F90 NtProtectVirtualMemory,2_2_03A72F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FE0 NtCreateFile,2_2_03A72FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F30 NtCreateSection,2_2_03A72F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F60 NtCreateProcessEx,2_2_03A72F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72EA0 NtAdjustPrivilegesToken,2_2_03A72EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72E80 NtReadVirtualMemory,2_2_03A72E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72EE0 NtQueueApcThread,2_2_03A72EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72E30 NtWriteVirtualMemory,2_2_03A72E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DB0 NtEnumerateKey,2_2_03A72DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DD0 NtDelayExecution,2_2_03A72DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D30 NtUnmapViewOfSection,2_2_03A72D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D00 NtSetInformationFile,2_2_03A72D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D10 NtMapViewOfSection,2_2_03A72D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CA0 NtQueryInformationToken,2_2_03A72CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CF0 NtOpenProcess,2_2_03A72CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CC0 NtQueryVirtualMemory,2_2_03A72CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C00 NtQueryInformationProcess,2_2_03A72C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C60 NtCreateKey,2_2_03A72C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C70 NtFreeVirtualMemory,2_2_03A72C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73090 NtSetValueKey,2_2_03A73090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73010 NtOpenDirectoryObject,2_2_03A73010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A739B0 NtGetContextThread,2_2_03A739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73D10 NtOpenProcessToken,2_2_03A73D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73D70 NtOpenThread,2_2_03A73D70
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C940B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00C940B1
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C88858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00C88858
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C9545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00C9545F
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C5DBB50_2_00C5DBB5
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00CB804A0_2_00CB804A
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C3E0600_2_00C3E060
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C441400_2_00C44140
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C524050_2_00C52405
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C665220_2_00C66522
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00CB06650_2_00CB0665
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C6267E0_2_00C6267E
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C468430_2_00C46843
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C3E8000_2_00C3E800
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C5283A0_2_00C5283A
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C689DF0_2_00C689DF
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00CB0AE20_2_00CB0AE2
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C66A940_2_00C66A94
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C48A0E0_2_00C48A0E
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C8EB070_2_00C8EB07
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C98B130_2_00C98B13
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C5CD610_2_00C5CD61
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C670060_2_00C67006
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C431900_2_00C43190
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C4710E0_2_00C4710E
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C312870_2_00C31287
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C533C70_2_00C533C7
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C5F4190_2_00C5F419
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C516C40_2_00C516C4
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C456800_2_00C45680
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C458C00_2_00C458C0
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C578D30_2_00C578D3
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C51BB80_2_00C51BB8
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C69D050_2_00C69D05
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C3FE400_2_00C3FE40
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C51FD00_2_00C51FD0
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C5BFE60_2_00C5BFE6
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_015DFDE00_2_015DFDE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101432_2_00410143
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041694E2_2_0041694E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004169532_2_00416953
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1332_2_0040E133
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032502_2_00403250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E27F2_2_0040E27F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E2832_2_0040E283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004033602_2_00403360
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004024E02_2_004024E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EEA32_2_0042EEA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040277A2_2_0040277A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF1A2_2_0040FF1A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF232_2_0040FF23
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027802_2_00402780
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F02_2_03A4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B003E62_2_03B003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA3522_2_03AFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC02C02_2_03AC02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE02742_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B001AA2_2_03B001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF81CC2_2_03AF81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A301002_2_03A30100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA1182_2_03ADA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC81582_2_03AC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3C7C02_2_03A3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A407702_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A647502_2_03A64750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5C6E02_2_03A5C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B005912_2_03B00591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A405352_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEE4F62_2_03AEE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF24462_2_03AF2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF6BD72_2_03AF6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFAB402_2_03AFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA802_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A02_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0A9A62_2_03B0A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A569622_2_03A56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A268B82_2_03A268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E8F02_2_03A6E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4A8402_2_03A4A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A428402_2_03A42840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABEFA02_2_03ABEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4CFE02_2_03A4CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32FC82_2_03A32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A82F282_2_03A82F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60F302_2_03A60F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4F402_2_03AB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52E902_2_03A52E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFCE932_2_03AFCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFEEDB2_2_03AFEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFEE262_2_03AFEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40E592_2_03A40E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A58DBF2_2_03A58DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3ADE02_2_03A3ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4AD002_2_03A4AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0CB52_2_03AE0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30CF22_2_03A30CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40C002_2_03A40C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A8739A2_2_03A8739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF132D2_2_03AF132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2D34C2_2_03A2D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A452A02_2_03A452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED2_2_03AE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C02_2_03A5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4B1B02_2_03A4B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7516C2_2_03A7516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F1722_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0B16B2_2_03B0B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF70E92_2_03AF70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF0E02_2_03AFF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEF0CC2_2_03AEF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C02_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF7B02_2_03AFF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF16CC2_2_03AF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADD5B02_2_03ADD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF75712_2_03AF7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF43F2_2_03AFF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A314602_2_03A31460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5FB802_2_03A5FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB5BF02_2_03AB5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7DBF92_2_03A7DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFB762_2_03AFFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADDAAC2_2_03ADDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A85AA02_2_03A85AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEDAC62_2_03AEDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB3A6C2_2_03AB3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFA492_2_03AFFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF7A462_2_03AF7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A499502_2_03A49950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B9502_2_03A5B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A438E02_2_03A438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAD8002_2_03AAD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFFB12_2_03AFFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41F922_2_03A41F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A03FD22_2_03A03FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A03FD52_2_03A03FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFF092_2_03AFFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A49EB02_2_03A49EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5FDC02_2_03A5FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF7D732_2_03AF7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A43D402_2_03A43D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF1D5A2_2_03AF1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFCF22_2_03AFFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB9C322_2_03AB9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03AAEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A2B970 appears 272 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A87E54 appears 98 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03ABF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A75130 appears 36 times
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: String function: 00C50D27 appears 70 times
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: String function: 00C37F41 appears 35 times
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: String function: 00C58B40 appears 42 times
          Source: W1POMvaEjU.exe, 00000000.00000003.2143369092.000000000424D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs W1POMvaEjU.exe
          Source: W1POMvaEjU.exe, 00000000.00000003.2145695316.00000000040F3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs W1POMvaEjU.exe
          Source: W1POMvaEjU.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: classification engineClassification label: mal80.troj.evad.winEXE@3/2@0/0
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C9A2D5 GetLastError,FormatMessageW,0_2_00C9A2D5
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C88713 AdjustTokenPrivileges,CloseHandle,0_2_00C88713
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C88CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00C88CC3
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C9B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00C9B59E
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00CAF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00CAF121
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00CA86D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00CA86D0
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C34FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00C34FE9
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeFile created: C:\Users\user\AppData\Local\Temp\aut6322.tmpJump to behavior
          Source: W1POMvaEjU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: W1POMvaEjU.exeReversingLabs: Detection: 71%
          Source: unknownProcess created: C:\Users\user\Desktop\W1POMvaEjU.exe "C:\Users\user\Desktop\W1POMvaEjU.exe"
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\W1POMvaEjU.exe"
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\W1POMvaEjU.exe"Jump to behavior
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeSection loaded: ntmarta.dllJump to behavior
          Source: W1POMvaEjU.exeStatic file information: File size 1226752 > 1048576
          Source: W1POMvaEjU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: W1POMvaEjU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: W1POMvaEjU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: W1POMvaEjU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: W1POMvaEjU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: W1POMvaEjU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: W1POMvaEjU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: W1POMvaEjU.exe, 00000000.00000003.2143838014.0000000004120000.00000004.00001000.00020000.00000000.sdmp, W1POMvaEjU.exe, 00000000.00000003.2144753849.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2251979046.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2205355434.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2251979046.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2203560836.0000000003600000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: W1POMvaEjU.exe, 00000000.00000003.2143838014.0000000004120000.00000004.00001000.00020000.00000000.sdmp, W1POMvaEjU.exe, 00000000.00000003.2144753849.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2251979046.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2205355434.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2251979046.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2203560836.0000000003600000.00000004.00000020.00020000.00000000.sdmp
          Source: W1POMvaEjU.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: W1POMvaEjU.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: W1POMvaEjU.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: W1POMvaEjU.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: W1POMvaEjU.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00CAC304 LoadLibraryA,GetProcAddress,0_2_00CAC304
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C3C64F push FFFFFFC5h; ret 0_2_00C3C656
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C3C64C push FFFFFFC5h; ret 0_2_00C3C64E
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C36930 push 67ED00C3h; ret 0_2_00C3693A
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C58B85 push ecx; ret 0_2_00C58B98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00419050 push esp; retf 2_2_00419056
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004038BC push esi; ret 2_2_004038BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414263 push ebp; retf 2_2_0041444B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040739C push ds; iretd 2_2_004073A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004034F0 push eax; ret 2_2_004034F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041ED70 push F3E5F1E9h; retf 2_2_0041EDAA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D532 push 00000016h; ret 2_2_0040D543
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AD3D push esp; ret 2_2_0040AD53
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401E68 push ds; retf 2_2_00401E6B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416693 push ds; retf 2_2_004166BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004166B2 push ds; retf 2_2_004166BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004017CE push ds; ret 2_2_004017E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004037EF pushad ; retf 2_2_004037F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401FB8 push ds; ret 2_2_00401FD6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0225F pushad ; ret 2_2_03A027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A027FA pushad ; ret 2_2_03A027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD push ecx; mov dword ptr [esp], ecx2_2_03A309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0283D push eax; iretd 2_2_03A02858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A01366 push eax; iretd 2_2_03A01369
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A09939 push es; iretd 2_2_03A09940
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C34A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C34A35
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00CB55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00CB55FD
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C533C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C533C7
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeAPI/Special instruction interceptor: Address: 15DFA04
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E rdtsc 2_2_03A7096E
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeAPI coverage: 4.4 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 4328Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C94696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C94696
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C9C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00C9C9C7
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C9C93C FindFirstFileW,FindClose,0_2_00C9C93C
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C9F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C9F200
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C9F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C9F35D
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C9F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C9F65E
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C93A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C93A2B
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C93D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C93D4E
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C9BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C9BF27
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C34AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C34AFE
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E rdtsc 2_2_03A7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004178E3 LdrLoadDll,2_2_004178E3
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00CA41FD BlockInput,0_2_00CA41FD
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C33B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C33B4C
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C65CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00C65CCC
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00CAC304 LoadLibraryA,GetProcAddress,0_2_00CAC304
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_015DE630 mov eax, dword ptr fs:[00000030h]0_2_015DE630
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_015DFC70 mov eax, dword ptr fs:[00000030h]0_2_015DFC70
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_015DFCD0 mov eax, dword ptr fs:[00000030h]0_2_015DFCD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]2_2_03A5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]2_2_03A5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A663FF mov eax, dword ptr fs:[00000030h]2_2_03A663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC3CD mov eax, dword ptr fs:[00000030h]2_2_03AEC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB63C0 mov eax, dword ptr fs:[00000030h]2_2_03AB63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C310 mov ecx, dword ptr fs:[00000030h]2_2_03A2C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50310 mov ecx, dword ptr fs:[00000030h]2_2_03A50310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD437C mov eax, dword ptr fs:[00000030h]2_2_03AD437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov ecx, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA352 mov eax, dword ptr fs:[00000030h]2_2_03AFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]2_2_03A6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]2_2_03A6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2823B mov eax, dword ptr fs:[00000030h]2_2_03A2823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2826B mov eax, dword ptr fs:[00000030h]2_2_03A2826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB8243 mov eax, dword ptr fs:[00000030h]2_2_03AB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB8243 mov ecx, dword ptr fs:[00000030h]2_2_03AB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A250 mov eax, dword ptr fs:[00000030h]2_2_03A2A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36259 mov eax, dword ptr fs:[00000030h]2_2_03A36259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A70185 mov eax, dword ptr fs:[00000030h]2_2_03A70185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]2_2_03AEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]2_2_03AEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B061E5 mov eax, dword ptr fs:[00000030h]2_2_03B061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A601F8 mov eax, dword ptr fs:[00000030h]2_2_03A601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]2_2_03AF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]2_2_03AF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03AAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60124 mov eax, dword ptr fs:[00000030h]2_2_03A60124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov ecx, dword ptr fs:[00000030h]2_2_03ADA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF0115 mov eax, dword ptr fs:[00000030h]2_2_03AF0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov ecx, dword ptr fs:[00000030h]2_2_03AC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C156 mov eax, dword ptr fs:[00000030h]2_2_03A2C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC8158 mov eax, dword ptr fs:[00000030h]2_2_03AC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]2_2_03A36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]2_2_03A36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC80A8 mov eax, dword ptr fs:[00000030h]2_2_03AC80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF60B8 mov eax, dword ptr fs:[00000030h]2_2_03AF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03AF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3208A mov eax, dword ptr fs:[00000030h]2_2_03A3208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03A2A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A380E9 mov eax, dword ptr fs:[00000030h]2_2_03A380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB60E0 mov eax, dword ptr fs:[00000030h]2_2_03AB60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03A2C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A720F0 mov ecx, dword ptr fs:[00000030h]2_2_03A720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB20DE mov eax, dword ptr fs:[00000030h]2_2_03AB20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A020 mov eax, dword ptr fs:[00000030h]2_2_03A2A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C020 mov eax, dword ptr fs:[00000030h]2_2_03A2C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6030 mov eax, dword ptr fs:[00000030h]2_2_03AC6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4000 mov ecx, dword ptr fs:[00000030h]2_2_03AB4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5C073 mov eax, dword ptr fs:[00000030h]2_2_03A5C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32050 mov eax, dword ptr fs:[00000030h]2_2_03A32050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6050 mov eax, dword ptr fs:[00000030h]2_2_03AB6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A307AF mov eax, dword ptr fs:[00000030h]2_2_03A307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE7E1 mov eax, dword ptr fs:[00000030h]2_2_03ABE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]2_2_03A347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]2_2_03A347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03A3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB07C3 mov eax, dword ptr fs:[00000030h]2_2_03AB07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]2_2_03A6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]2_2_03A6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]2_2_03A6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov ecx, dword ptr fs:[00000030h]2_2_03A6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]2_2_03A6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAC730 mov eax, dword ptr fs:[00000030h]2_2_03AAC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C700 mov eax, dword ptr fs:[00000030h]2_2_03A6C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30710 mov eax, dword ptr fs:[00000030h]2_2_03A30710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60710 mov eax, dword ptr fs:[00000030h]2_2_03A60710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38770 mov eax, dword ptr fs:[00000030h]2_2_03A38770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov esi, dword ptr fs:[00000030h]2_2_03A6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]2_2_03A6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]2_2_03A6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30750 mov eax, dword ptr fs:[00000030h]2_2_03A30750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE75D mov eax, dword ptr fs:[00000030h]2_2_03ABE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]2_2_03A72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]2_2_03A72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4755 mov eax, dword ptr fs:[00000030h]2_2_03AB4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03A6C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A666B0 mov eax, dword ptr fs:[00000030h]2_2_03A666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]2_2_03A34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]2_2_03A34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]2_2_03AB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]2_2_03AB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03A6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03A6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E627 mov eax, dword ptr fs:[00000030h]2_2_03A4E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A66620 mov eax, dword ptr fs:[00000030h]2_2_03A66620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68620 mov eax, dword ptr fs:[00000030h]2_2_03A68620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3262C mov eax, dword ptr fs:[00000030h]2_2_03A3262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE609 mov eax, dword ptr fs:[00000030h]2_2_03AAE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72619 mov eax, dword ptr fs:[00000030h]2_2_03A72619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]2_2_03AF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]2_2_03AF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]2_2_03A6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]2_2_03A6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A62674 mov eax, dword ptr fs:[00000030h]2_2_03A62674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4C640 mov eax, dword ptr fs:[00000030h]2_2_03A4C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]2_2_03AB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]2_2_03AB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]2_2_03AB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]2_2_03A545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]2_2_03A545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32582 mov eax, dword ptr fs:[00000030h]2_2_03A32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32582 mov ecx, dword ptr fs:[00000030h]2_2_03A32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A64588 mov eax, dword ptr fs:[00000030h]2_2_03A64588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E59C mov eax, dword ptr fs:[00000030h]2_2_03A6E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A325E0 mov eax, dword ptr fs:[00000030h]2_2_03A325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]2_2_03A6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]2_2_03A6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]2_2_03A6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]2_2_03A6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A365D0 mov eax, dword ptr fs:[00000030h]2_2_03A365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03A6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03A6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6500 mov eax, dword ptr fs:[00000030h]2_2_03AC6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]2_2_03A6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]2_2_03A6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]2_2_03A6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]2_2_03A38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]2_2_03A38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A364AB mov eax, dword ptr fs:[00000030h]2_2_03A364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A644B0 mov ecx, dword ptr fs:[00000030h]2_2_03A644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABA4B0 mov eax, dword ptr fs:[00000030h]2_2_03ABA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A304E5 mov ecx, dword ptr fs:[00000030h]2_2_03A304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]2_2_03A2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]2_2_03A2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]2_2_03A2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C427 mov eax, dword ptr fs:[00000030h]2_2_03A2C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A430 mov eax, dword ptr fs:[00000030h]2_2_03A6A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]2_2_03A68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]2_2_03A68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]2_2_03A68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC460 mov ecx, dword ptr fs:[00000030h]2_2_03ABC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]2_2_03A5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]2_2_03A5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]2_2_03A5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2645D mov eax, dword ptr fs:[00000030h]2_2_03A2645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5245A mov eax, dword ptr fs:[00000030h]2_2_03A5245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]2_2_03A40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]2_2_03A40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]2_2_03A38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]2_2_03A38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]2_2_03A38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EBFC mov eax, dword ptr fs:[00000030h]2_2_03A5EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABCBF0 mov eax, dword ptr fs:[00000030h]2_2_03ABCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]2_2_03A50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]2_2_03A50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]2_2_03A50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]2_2_03A30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]2_2_03A30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]2_2_03A30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADEBD0 mov eax, dword ptr fs:[00000030h]2_2_03ADEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]2_2_03A5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]2_2_03A5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]2_2_03AF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]2_2_03AF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2CB7E mov eax, dword ptr fs:[00000030h]2_2_03A2CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]2_2_03AC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]2_2_03AC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFAB40 mov eax, dword ptr fs:[00000030h]2_2_03AFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD8B42 mov eax, dword ptr fs:[00000030h]2_2_03AD8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]2_2_03A38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]2_2_03A38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86AA4 mov eax, dword ptr fs:[00000030h]2_2_03A86AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04A80 mov eax, dword ptr fs:[00000030h]2_2_03B04A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68A90 mov edx, dword ptr fs:[00000030h]2_2_03A68A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]2_2_03A6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]2_2_03A6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]2_2_03A86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]2_2_03A86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]2_2_03A86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30AD0 mov eax, dword ptr fs:[00000030h]2_2_03A30AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]2_2_03A64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]2_2_03A64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA24 mov eax, dword ptr fs:[00000030h]2_2_03A6CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EA2E mov eax, dword ptr fs:[00000030h]2_2_03A5EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]2_2_03A54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]2_2_03A54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA38 mov eax, dword ptr fs:[00000030h]2_2_03A6CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABCA11 mov eax, dword ptr fs:[00000030h]2_2_03ABCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]2_2_03A6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]2_2_03A6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]2_2_03A6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]2_2_03AACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]2_2_03AACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]2_2_03A40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]2_2_03A40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]2_2_03A309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]2_2_03A309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB89B3 mov esi, dword ptr fs:[00000030h]2_2_03AB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]2_2_03AB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]2_2_03AB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE9E0 mov eax, dword ptr fs:[00000030h]2_2_03ABE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]2_2_03A629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]2_2_03A629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC69C0 mov eax, dword ptr fs:[00000030h]2_2_03AC69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A649D0 mov eax, dword ptr fs:[00000030h]2_2_03A649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA9D3 mov eax, dword ptr fs:[00000030h]2_2_03AFA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB892A mov eax, dword ptr fs:[00000030h]2_2_03AB892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC892B mov eax, dword ptr fs:[00000030h]2_2_03AC892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]2_2_03AAE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]2_2_03AAE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC912 mov eax, dword ptr fs:[00000030h]2_2_03ABC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]2_2_03A28918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]2_2_03A28918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]2_2_03A56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]2_2_03A56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]2_2_03A56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]2_2_03A7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E mov edx, dword ptr fs:[00000030h]2_2_03A7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]2_2_03A7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC97C mov eax, dword ptr fs:[00000030h]2_2_03ABC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0946 mov eax, dword ptr fs:[00000030h]2_2_03AB0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30887 mov eax, dword ptr fs:[00000030h]2_2_03A30887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC89D mov eax, dword ptr fs:[00000030h]2_2_03ABC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA8E4 mov eax, dword ptr fs:[00000030h]2_2_03AFA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03A6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03A6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E8C0 mov eax, dword ptr fs:[00000030h]2_2_03A5E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov ecx, dword ptr fs:[00000030h]2_2_03A52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A830 mov eax, dword ptr fs:[00000030h]2_2_03A6A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC810 mov eax, dword ptr fs:[00000030h]2_2_03ABC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE872 mov eax, dword ptr fs:[00000030h]2_2_03ABE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE872 mov eax, dword ptr fs:[00000030h]2_2_03ABE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6870 mov eax, dword ptr fs:[00000030h]2_2_03AC6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6870 mov eax, dword ptr fs:[00000030h]2_2_03AC6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A42840 mov ecx, dword ptr fs:[00000030h]2_2_03A42840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60854 mov eax, dword ptr fs:[00000030h]2_2_03A60854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34859 mov eax, dword ptr fs:[00000030h]2_2_03A34859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34859 mov eax, dword ptr fs:[00000030h]2_2_03A34859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CF80 mov eax, dword ptr fs:[00000030h]2_2_03A6CF80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A62F98 mov eax, dword ptr fs:[00000030h]2_2_03A62F98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A62F98 mov eax, dword ptr fs:[00000030h]2_2_03A62F98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4CFE0 mov eax, dword ptr fs:[00000030h]2_2_03A4CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4CFE0 mov eax, dword ptr fs:[00000030h]2_2_03A4CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A70FF6 mov eax, dword ptr fs:[00000030h]2_2_03A70FF6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A70FF6 mov eax, dword ptr fs:[00000030h]2_2_03A70FF6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A70FF6 mov eax, dword ptr fs:[00000030h]2_2_03A70FF6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A70FF6 mov eax, dword ptr fs:[00000030h]2_2_03A70FF6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04FE7 mov eax, dword ptr fs:[00000030h]2_2_03B04FE7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE6FF7 mov eax, dword ptr fs:[00000030h]2_2_03AE6FF7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32FC8 mov eax, dword ptr fs:[00000030h]2_2_03A32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32FC8 mov eax, dword ptr fs:[00000030h]2_2_03A32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32FC8 mov eax, dword ptr fs:[00000030h]2_2_03A32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32FC8 mov eax, dword ptr fs:[00000030h]2_2_03A32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2EFD8 mov eax, dword ptr fs:[00000030h]2_2_03A2EFD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2EFD8 mov eax, dword ptr fs:[00000030h]2_2_03A2EFD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2EFD8 mov eax, dword ptr fs:[00000030h]2_2_03A2EFD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EF28 mov eax, dword ptr fs:[00000030h]2_2_03A5EF28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE6F00 mov eax, dword ptr fs:[00000030h]2_2_03AE6F00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32F12 mov eax, dword ptr fs:[00000030h]2_2_03A32F12
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CF1F mov eax, dword ptr fs:[00000030h]2_2_03A6CF1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5AF69 mov eax, dword ptr fs:[00000030h]2_2_03A5AF69
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5AF69 mov eax, dword ptr fs:[00000030h]2_2_03A5AF69
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04F68 mov eax, dword ptr fs:[00000030h]2_2_03B04F68
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4F40 mov eax, dword ptr fs:[00000030h]2_2_03AB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4F40 mov eax, dword ptr fs:[00000030h]2_2_03AB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4F40 mov eax, dword ptr fs:[00000030h]2_2_03AB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4F40 mov eax, dword ptr fs:[00000030h]2_2_03AB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2CF50 mov eax, dword ptr fs:[00000030h]2_2_03A2CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2CF50 mov eax, dword ptr fs:[00000030h]2_2_03A2CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2CF50 mov eax, dword ptr fs:[00000030h]2_2_03A2CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2CF50 mov eax, dword ptr fs:[00000030h]2_2_03A2CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2CF50 mov eax, dword ptr fs:[00000030h]2_2_03A2CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2CF50 mov eax, dword ptr fs:[00000030h]2_2_03A2CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CF50 mov eax, dword ptr fs:[00000030h]2_2_03A6CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABCEA0 mov eax, dword ptr fs:[00000030h]2_2_03ABCEA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABCEA0 mov eax, dword ptr fs:[00000030h]2_2_03ABCEA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABCEA0 mov eax, dword ptr fs:[00000030h]2_2_03ABCEA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ACAEB0 mov eax, dword ptr fs:[00000030h]2_2_03ACAEB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ACAEB0 mov eax, dword ptr fs:[00000030h]2_2_03ACAEB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2AE90 mov eax, dword ptr fs:[00000030h]2_2_03A2AE90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2AE90 mov eax, dword ptr fs:[00000030h]2_2_03A2AE90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2AE90 mov eax, dword ptr fs:[00000030h]2_2_03A2AE90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A62E9C mov eax, dword ptr fs:[00000030h]2_2_03A62E9C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A62E9C mov ecx, dword ptr fs:[00000030h]2_2_03A62E9C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36EE0 mov eax, dword ptr fs:[00000030h]2_2_03A36EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36EE0 mov eax, dword ptr fs:[00000030h]2_2_03A36EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36EE0 mov eax, dword ptr fs:[00000030h]2_2_03A36EE0
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C881F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00C881F7
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C5A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C5A395
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C5A364 SetUnhandledExceptionFilter,0_2_00C5A364

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3158008Jump to behavior
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C88C93 LogonUserW,0_2_00C88C93
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C33B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C33B4C
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C34A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C34A35
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C94EC9 mouse_event,0_2_00C94EC9
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\W1POMvaEjU.exe"Jump to behavior
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C881F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00C881F7
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C94C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00C94C03
          Source: W1POMvaEjU.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: W1POMvaEjU.exeBinary or memory string: Shell_TrayWnd
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C5886B cpuid 0_2_00C5886B
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C650D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00C650D7
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C72230 GetUserNameW,0_2_00C72230
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C6418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00C6418A
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00C34AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C34AFE

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2251633216.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2251943899.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: W1POMvaEjU.exeBinary or memory string: WIN_81
          Source: W1POMvaEjU.exeBinary or memory string: WIN_XP
          Source: W1POMvaEjU.exeBinary or memory string: WIN_XPe
          Source: W1POMvaEjU.exeBinary or memory string: WIN_VISTA
          Source: W1POMvaEjU.exeBinary or memory string: WIN_7
          Source: W1POMvaEjU.exeBinary or memory string: WIN_8
          Source: W1POMvaEjU.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2251633216.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2251943899.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00CA6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00CA6596
          Source: C:\Users\user\Desktop\W1POMvaEjU.exeCode function: 0_2_00CA6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00CA6A5A

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		1
          Native API          		2
          Valid Accounts          		2
          Valid Accounts          		2
          Valid Accounts          		21
          Input Capture          		2
          System Time Discovery          		Remote Services21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		LSASS Memory15
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
          Access Token Manipulation          		2
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares3
          Clipboard Data          		SteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook212
          Process Injection          		21
          Access Token Manipulation          		NTDS3
          Process Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          DLL Side-Loading          		212
          Process Injection          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials1
          Account Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Obfuscated Files or Information          		DCSync1
          System Owner/User Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc Filesystem1
          File and Directory Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow115
          System Information Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          W1POMvaEjU.exe71%ReversingLabsWin32.Trojan.AutoitInject
          W1POMvaEjU.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
          		217.20.57.18
          		truefalse
            		high
            fp2e7a.wpc.phicdn.net
            		192.229.221.95
            		truefalse
              		high

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox version:42.0.0 Malachite
              Analysis ID:1588805
              Start date and time:2025-01-11 05:42:47 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 5m 13s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:3
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:W1POMvaEjU.exe
              renamed because original name is a hash value
              Original Sample Name:6d81217c0442e0535162372b709e4d851959859e8dd412b06218386fc06806f4.exe
              Detection:MAL
              Classification:mal80.troj.evad.winEXE@3/2@0/0
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 97%
              • Number of executed functions: 46
              • Number of non-executed functions: 279
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Stop behavior analysis, all processes terminated

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe
              • Excluded IPs from analysis (whitelisted): 172.202.163.200, 20.242.39.171, 13.107.246.45
              • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • VT rate limit hit for: W1POMvaEjU.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              23:43:47API Interceptor3x Sleep call for process: svchost.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com1731726859230921847.jsGet hashmaliciousStrela DownloaderBrowse
              • 217.20.57.36
              28926317492847332246.jsGet hashmaliciousStrela DownloaderBrowse
              • 217.20.57.20
              16267239851350230287.jsGet hashmaliciousStrela DownloaderBrowse
              • 217.20.57.35
              395621741190315695.jsGet hashmaliciousStrela DownloaderBrowse
              • 217.20.57.18
              884736801811116482.jsGet hashmaliciousStrela DownloaderBrowse
              • 217.20.57.18
              248185965269371196.jsGet hashmaliciousStrela DownloaderBrowse
              • 217.20.57.43
              2949911514285745182.jsGet hashmaliciousStrela DownloaderBrowse
              • 217.20.57.20
              24667857242018421.jsGet hashmaliciousStrela DownloaderBrowse
              • 217.20.57.23
              20891229701394327174.jsGet hashmaliciousStrela DownloaderBrowse
              • 217.20.57.23
              25717297553175212150.jsGet hashmaliciousStrela DownloaderBrowse
              • 217.20.57.43
              fp2e7a.wpc.phicdn.net67qCH13C8n.exeGet hashmaliciousFormBookBrowse
              • 192.229.221.95
              Pb4xbhZNjF.exeGet hashmaliciousFormBookBrowse
              • 192.229.221.95
              229242754773566299.jsGet hashmaliciousStrela DownloaderBrowse
              • 192.229.221.95
              GhwFStoMJX.exeGet hashmaliciousUnknownBrowse
              • 192.229.221.95
              AudioCodesAppSuite.exeGet hashmaliciousUnknownBrowse
              • 192.229.221.95
              launcher.exe.bin.exeGet hashmaliciousPureLog Stealer, Xmrig, zgRATBrowse
              • 192.229.221.95
              Shipping Document.exeGet hashmaliciousFormBook, PureLog StealerBrowse
              • 192.229.221.95
              https://marcuso-wq.github.io/home/Get hashmaliciousHTMLPhisherBrowse
              • 192.229.221.95
              1.pngGet hashmaliciousUnknownBrowse
              • 192.229.221.95
              atomxml.ps1Get hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
              • 192.229.221.95

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Temp\aut6322.tmp

              Download File
              Process:C:\Users\user\Desktop\W1POMvaEjU.exe
              File Type:data
              Category:dropped
              Size (bytes):288768
              Entropy (8bit):7.995000663087572
              Encrypted:true
              SSDEEP:6144:IGXOsn4dfGsxw2VNpLA8Ey/RvBlCKRyQEoXB9F1fgOZPATeEMg:IGXOsn4dOsxwENJlxZuKRNv7XZoDMg
              MD5:322486B2BB2A089F0377624C994E2379
              SHA1:5DE3C5CF4984D00FFA2429BC2E53C3DF0B245802
              SHA-256:7A1947568F9F1072718856F522118DBCF03235F5FEF8E209CC3E98E6BF14C81C
              SHA-512:4CDB978B9A80943CCE2DC859AEB0EA8FC7278B9DC2CCBC0E7920BE9B044D3C9A8EE5867B8EDDABE5274B8B94BD18E704B34C00025149F1B951B5F6BBD09BF761
              Malicious:false
              Reputation:low
              Preview:...ZPXQ70IRQ..13.1XLFZ74.CY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74I.QQ0?,.?X.O...U....;1".D;=6#Q\.UP6")..V1c+M4s1?.p..q<_UV.<UFbZ74TCY8#RQ..T..l1W..VV.V....4$."...mWS.H....SQ..%%2.T3.Y8ZSXQ74..QQ|026a$.'Z74TCY8Z.XS6?HYQQf5361XLFZ74.PY8ZCXQ7DMRQQp13&1XLDZ72TCY8ZSXW74IRQQ01C21XNFZ74TC[8..XQ'4IBQQ01#61HLFZ74TSY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ.@,*%Q01.b5XLVZ74.GY8JSXQ74IRQQ01361xLF:74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74T

              C:\Users\user\AppData\Local\Temp\renowner

              Download File
              Process:C:\Users\user\Desktop\W1POMvaEjU.exe
              File Type:data
              Category:dropped
              Size (bytes):288768
              Entropy (8bit):7.995000663087572
              Encrypted:true
              SSDEEP:6144:IGXOsn4dfGsxw2VNpLA8Ey/RvBlCKRyQEoXB9F1fgOZPATeEMg:IGXOsn4dOsxwENJlxZuKRNv7XZoDMg
              MD5:322486B2BB2A089F0377624C994E2379
              SHA1:5DE3C5CF4984D00FFA2429BC2E53C3DF0B245802
              SHA-256:7A1947568F9F1072718856F522118DBCF03235F5FEF8E209CC3E98E6BF14C81C
              SHA-512:4CDB978B9A80943CCE2DC859AEB0EA8FC7278B9DC2CCBC0E7920BE9B044D3C9A8EE5867B8EDDABE5274B8B94BD18E704B34C00025149F1B951B5F6BBD09BF761
              Malicious:false
              Reputation:low
              Preview:...ZPXQ70IRQ..13.1XLFZ74.CY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74I.QQ0?,.?X.O...U....;1".D;=6#Q\.UP6")..V1c+M4s1?.p..q<_UV.<UFbZ74TCY8#RQ..T..l1W..VV.V....4$."...mWS.H....SQ..%%2.T3.Y8ZSXQ74..QQ|026a$.'Z74TCY8Z.XS6?HYQQf5361XLFZ74.PY8ZCXQ7DMRQQp13&1XLDZ72TCY8ZSXW74IRQQ01C21XNFZ74TC[8..XQ'4IBQQ01#61HLFZ74TSY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ.@,*%Q01.b5XLVZ74.GY8JSXQ74IRQQ01361xLF:74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74TCY8ZSXQ74IRQQ01361XLFZ74T

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):7.181388500506046
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:W1POMvaEjU.exe
              File size:1'226'752 bytes
              MD5:cd1cb6efd134a033bf59c6b44cd24b52
              SHA1:e6a18b32c4b16c5e5be92e403f7c09ab6f587c13
              SHA256:6d81217c0442e0535162372b709e4d851959859e8dd412b06218386fc06806f4
              SHA512:25ca9df159e5d9f90c78af79ecf69ed319198b7802a7528b17cf43d7eb2002399d9055d99f53b2bda84729ad23f35e69e01b701a66379fcaf14def3ed7badd9e
              SSDEEP:24576:qAHnh+eWsN3skA4RV1Hom2KXMmHaDDha7x52Cg38dsE5:9h+ZkldoPK8YaDDha7yO7
              TLSH:0E45BE0273D1C032FFABA2739B6AF24156BD79654123852F13981DB9BD701B2273E663
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

              File Icon

              Icon Hash:aaf3e3e3938382a0

              Static PE Info

              General

              Entrypoint:0x42800a
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
              Time Stamp:0x676A1C98 [Tue Dec 24 02:29:44 2024 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:1
              File Version Major:5
              File Version Minor:1
              Subsystem Version Major:5
              Subsystem Version Minor:1
              Import Hash:afcdf79be1557326c854b6e20cb900a7

              Entrypoint Preview

              Instruction
              call 00007FEA28B5F31Dh
              jmp 00007FEA28B520D4h
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              push edi
              push esi
              mov esi, dword ptr [esp+10h]
              mov ecx, dword ptr [esp+14h]
              mov edi, dword ptr [esp+0Ch]
              mov eax, ecx
              mov edx, ecx
              add eax, esi
              cmp edi, esi
              jbe 00007FEA28B5225Ah
              cmp edi, eax
              jc 00007FEA28B525BEh
              bt dword ptr [004C41FCh], 01h
              jnc 00007FEA28B52259h
              rep movsb
              jmp 00007FEA28B5256Ch
              cmp ecx, 00000080h
              jc 00007FEA28B52424h
              mov eax, edi
              xor eax, esi
              test eax, 0000000Fh
              jne 00007FEA28B52260h
              bt dword ptr [004BF324h], 01h
              jc 00007FEA28B52730h
              bt dword ptr [004C41FCh], 00000000h
              jnc 00007FEA28B523FDh
              test edi, 00000003h
              jne 00007FEA28B5240Eh
              test esi, 00000003h
              jne 00007FEA28B523EDh
              bt edi, 02h
              jnc 00007FEA28B5225Fh
              mov eax, dword ptr [esi]
              sub ecx, 04h
              lea esi, dword ptr [esi+04h]
              mov dword ptr [edi], eax
              lea edi, dword ptr [edi+04h]
              bt edi, 03h
              jnc 00007FEA28B52263h
              movq xmm1, qword ptr [esi]
              sub ecx, 08h
              lea esi, dword ptr [esi+08h]
              movq qword ptr [edi], xmm1
              lea edi, dword ptr [edi+08h]
              test esi, 00000007h
              je 00007FEA28B522B5h
              bt esi, 03h

              Rich Headers

              Programming Language:
              • [ASM] VS2013 build 21005
              • [ C ] VS2013 build 21005
              • [C++] VS2013 build 21005
              • [ C ] VS2008 SP1 build 30729
              • [IMP] VS2008 SP1 build 30729
              • [ASM] VS2013 UPD5 build 40629
              • [RES] VS2013 build 21005
              • [LNK] VS2013 UPD5 build 40629

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x610d8.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x12a0000x7134.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0xc80000x610d80x6120037dbdb8dd580d6d7425829977990b7a7False0.9321835786679536data7.903454861544564IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x12a0000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
              RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
              RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
              RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
              RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
              RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
              RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
              RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
              RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
              RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
              RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
              RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
              RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
              RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
              RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
              RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
              RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
              RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
              RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
              RT_RCDATA0xd07b80x5839fdata1.00033483223798
              RT_GROUP_ICON0x128b580x76dataEnglishGreat Britain0.6610169491525424
              RT_GROUP_ICON0x128bd00x14dataEnglishGreat Britain1.25
              RT_GROUP_ICON0x128be40x14dataEnglishGreat Britain1.15
              RT_GROUP_ICON0x128bf80x14dataEnglishGreat Britain1.25
              RT_VERSION0x128c0c0xdcdataEnglishGreat Britain0.6181818181818182
              RT_MANIFEST0x128ce80x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

              Imports

              DLLImport
              WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
              VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
              COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
              MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
              WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
              PSAPI.DLLGetProcessMemoryInfo
              IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
              USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
              UxTheme.dllIsThemeActive
              KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
              USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
              GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
              COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
              ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
              SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
              OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishGreat Britain

              Network Behavior

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Jan 11, 2025 05:43:56.767745972 CET1.1.1.1192.168.2.60x535eNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
              Jan 11, 2025 05:43:56.767745972 CET1.1.1.1192.168.2.60x535eNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
              Jan 11, 2025 05:43:57.771671057 CET1.1.1.1192.168.2.60xd217No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
              Jan 11, 2025 05:43:57.771671057 CET1.1.1.1192.168.2.60xd217No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.18A (IP address)IN (0x0001)false
              Jan 11, 2025 05:43:57.771671057 CET1.1.1.1192.168.2.60xd217No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.34A (IP address)IN (0x0001)false
              Jan 11, 2025 05:43:57.771671057 CET1.1.1.1192.168.2.60xd217No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.23A (IP address)IN (0x0001)false
              Jan 11, 2025 05:43:57.771671057 CET1.1.1.1192.168.2.60xd217No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.35A (IP address)IN (0x0001)false
              Jan 11, 2025 05:43:57.771671057 CET1.1.1.1192.168.2.60xd217No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.19A (IP address)IN (0x0001)false
              Jan 11, 2025 05:43:57.771671057 CET1.1.1.1192.168.2.60xd217No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.36A (IP address)IN (0x0001)false
              Jan 11, 2025 05:43:57.771671057 CET1.1.1.1192.168.2.60xd217No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.39A (IP address)IN (0x0001)false
              Jan 11, 2025 05:43:57.771671057 CET1.1.1.1192.168.2.60xd217No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.20A (IP address)IN (0x0001)false

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:23:43:38
              Start date:10/01/2025
              Path:C:\Users\user\Desktop\W1POMvaEjU.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\W1POMvaEjU.exe"
              Imagebase:0xc30000
              File size:1'226'752 bytes
              MD5 hash:CD1CB6EFD134A033BF59C6B44CD24B52
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:2
              Start time:23:43:39
              Start date:10/01/2025
              Path:C:\Windows\SysWOW64\svchost.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\W1POMvaEjU.exe"
              Imagebase:0xe20000
              File size:46'504 bytes
              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2251633216.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2251943899.0000000003940000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              Reputation:high
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:3.4%
                Dynamic/Decrypted Code Coverage:0.4%
                Signature Coverage:6.4%
                Total number of Nodes:2000
                Total number of Limit Nodes:147
                execution_graph 98843 c33633 98844 c3366a 98843->98844 98845 c336e7 98844->98845 98846 c33688 98844->98846 98847 c336e5 98844->98847 98851 c6d31c 98845->98851 98852 c336ed 98845->98852 98848 c33695 98846->98848 98849 c3375d PostQuitMessage 98846->98849 98850 c336ca DefWindowProcW 98847->98850 98853 c336a0 98848->98853 98854 c6d38f 98848->98854 98856 c336d8 98849->98856 98850->98856 98893 c411d0 10 API calls Mailbox 98851->98893 98857 c336f2 98852->98857 98858 c33715 SetTimer RegisterWindowMessageW 98852->98858 98859 c33767 98853->98859 98860 c336a8 98853->98860 98908 c92a16 71 API calls _memset 98854->98908 98864 c6d2bf 98857->98864 98865 c336f9 KillTimer 98857->98865 98858->98856 98861 c3373e CreatePopupMenu 98858->98861 98891 c34531 64 API calls _memset 98859->98891 98867 c336b3 98860->98867 98868 c6d374 98860->98868 98861->98856 98863 c6d343 98894 c411f3 331 API calls Mailbox 98863->98894 98872 c6d2c4 98864->98872 98873 c6d2f8 MoveWindow 98864->98873 98888 c344cb Shell_NotifyIconW _memset 98865->98888 98875 c3374b 98867->98875 98876 c336be 98867->98876 98868->98850 98907 c8817e 59 API calls Mailbox 98868->98907 98869 c6d3a1 98869->98850 98869->98856 98878 c6d2e7 SetFocus 98872->98878 98879 c6d2c8 98872->98879 98873->98856 98874 c3370c 98889 c33114 DeleteObject DestroyWindow Mailbox 98874->98889 98890 c345df 81 API calls _memset 98875->98890 98876->98850 98895 c344cb Shell_NotifyIconW _memset 98876->98895 98877 c3375b 98877->98856 98878->98856 98879->98876 98880 c6d2d1 98879->98880 98892 c411d0 10 API calls Mailbox 98880->98892 98886 c6d368 98896 c343db 98886->98896 98888->98874 98889->98856 98890->98877 98891->98877 98892->98856 98893->98863 98894->98876 98895->98886 98897 c34406 _memset 98896->98897 98909 c34213 98897->98909 98900 c3448b 98902 c344c1 Shell_NotifyIconW 98900->98902 98903 c344a5 Shell_NotifyIconW 98900->98903 98904 c344b3 98902->98904 98903->98904 98913 c3410d 98904->98913 98906 c344ba 98906->98847 98907->98847 98908->98869 98910 c34227 98909->98910 98911 c6d638 98909->98911 98910->98900 98935 c93226 62 API calls _W_store_winword 98910->98935 98911->98910 98912 c6d641 DestroyIcon 98911->98912 98912->98910 98914 c34129 98913->98914 98934 c34200 Mailbox 98913->98934 98936 c37b76 98914->98936 98917 c34144 98941 c37d2c 98917->98941 98918 c6d5dd LoadStringW 98921 c6d5f7 98918->98921 98920 c34159 98920->98921 98922 c3416a 98920->98922 98923 c37c8e 59 API calls 98921->98923 98924 c34205 98922->98924 98925 c34174 98922->98925 98928 c6d601 98923->98928 98959 c381a7 98924->98959 98950 c37c8e 98925->98950 98931 c3417e _memset _wcscpy 98928->98931 98963 c37e0b 98928->98963 98930 c6d623 98932 c37e0b 59 API calls 98930->98932 98933 c341e6 Shell_NotifyIconW 98931->98933 98932->98931 98933->98934 98934->98906 98935->98900 98970 c50ff6 98936->98970 98938 c37b9b 98980 c38189 98938->98980 98942 c37da5 98941->98942 98943 c37d38 __wsetenvp 98941->98943 99012 c37e8c 98942->99012 98945 c37d73 98943->98945 98946 c37d4e 98943->98946 98948 c38189 59 API calls 98945->98948 99011 c38087 59 API calls Mailbox 98946->99011 98949 c37d56 _memmove 98948->98949 98949->98920 98951 c6f094 98950->98951 98952 c37ca0 98950->98952 99026 c88123 59 API calls _memmove 98951->99026 99020 c37bb1 98952->99020 98955 c37cac 98955->98931 98956 c6f09e 98957 c381a7 59 API calls 98956->98957 98958 c6f0a6 Mailbox 98957->98958 98960 c381b2 98959->98960 98961 c381ba 98959->98961 99027 c380d7 59 API calls 2 library calls 98960->99027 98961->98931 98964 c6f173 98963->98964 98965 c37e1f 98963->98965 98967 c38189 59 API calls 98964->98967 99028 c37db0 98965->99028 98969 c6f17e __wsetenvp _memmove 98967->98969 98968 c37e2a 98968->98930 98972 c50ffe 98970->98972 98973 c51018 98972->98973 98975 c5101c std::exception::exception 98972->98975 98983 c5594c 98972->98983 99000 c535e1 DecodePointer 98972->99000 98973->98938 99001 c587db RaiseException 98975->99001 98977 c51046 99002 c58711 58 API calls _free 98977->99002 98979 c51058 98979->98938 98981 c50ff6 Mailbox 59 API calls 98980->98981 98982 c34137 98981->98982 98982->98917 98982->98918 98984 c559c7 98983->98984 98996 c55958 98983->98996 99009 c535e1 DecodePointer 98984->99009 98986 c559cd 99010 c58d68 58 API calls __getptd_noexit 98986->99010 98989 c5598b RtlAllocateHeap 98989->98996 98999 c559bf 98989->98999 98991 c559b3 99007 c58d68 58 API calls __getptd_noexit 98991->99007 98995 c55963 98995->98996 99003 c5a3ab 58 API calls 2 library calls 98995->99003 99004 c5a408 58 API calls 8 library calls 98995->99004 99005 c532df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98995->99005 98996->98989 98996->98991 98996->98995 98997 c559b1 98996->98997 99006 c535e1 DecodePointer 98996->99006 99008 c58d68 58 API calls __getptd_noexit 98997->99008 98999->98972 99000->98972 99001->98977 99002->98979 99003->98995 99004->98995 99006->98996 99007->98997 99008->98999 99009->98986 99010->98999 99011->98949 99013 c37ea3 _memmove 99012->99013 99014 c37e9a 99012->99014 99013->98949 99014->99013 99016 c37faf 99014->99016 99017 c37fc2 99016->99017 99019 c37fbf _memmove 99016->99019 99018 c50ff6 Mailbox 59 API calls 99017->99018 99018->99019 99019->99013 99021 c37bbf 99020->99021 99022 c37be5 _memmove 99020->99022 99021->99022 99023 c50ff6 Mailbox 59 API calls 99021->99023 99022->98955 99024 c37c34 99023->99024 99025 c50ff6 Mailbox 59 API calls 99024->99025 99025->99022 99026->98956 99027->98961 99029 c37dbf __wsetenvp 99028->99029 99030 c38189 59 API calls 99029->99030 99031 c37dd0 _memmove 99029->99031 99032 c6f130 _memmove 99030->99032 99031->98968 99033 c70226 99039 c3ade2 Mailbox 99033->99039 99035 c70c86 99050 c866f4 59 API calls Mailbox 99035->99050 99037 c70c8f 99039->99035 99039->99037 99040 c700e0 VariantClear 99039->99040 99041 c3b6c1 99039->99041 99044 cae237 99039->99044 99047 c39df0 59 API calls Mailbox 99039->99047 99048 c87405 59 API calls 99039->99048 99040->99039 99049 c9a0b5 89 API calls 4 library calls 99041->99049 99051 cacdf1 99044->99051 99046 cae247 99046->99039 99047->99039 99048->99039 99049->99035 99050->99037 99089 c39997 99051->99089 99055 cad242 99157 cadbdc 92 API calls Mailbox 99055->99157 99058 cad251 99059 cad0db 99058->99059 99060 cad25d 99058->99060 99120 cacc82 99059->99120 99067 cace75 Mailbox 99060->99067 99061 c39997 84 API calls 99068 cacec6 Mailbox 99061->99068 99066 cad114 99135 c50e48 99066->99135 99067->99046 99068->99061 99068->99067 99076 cad0cd 99068->99076 99139 c9f835 59 API calls 2 library calls 99068->99139 99140 cad2f3 61 API calls 2 library calls 99068->99140 99071 cad12e 99141 c9a0b5 89 API calls 4 library calls 99071->99141 99072 cad147 99142 c3942e 99072->99142 99075 cad139 GetCurrentProcess TerminateProcess 99075->99072 99076->99055 99076->99059 99081 cad2b8 99081->99067 99085 cad2cc FreeLibrary 99081->99085 99082 cad17f 99154 cad95d 107 API calls _free 99082->99154 99085->99067 99088 cad190 99088->99081 99155 c38ea0 59 API calls Mailbox 99088->99155 99156 c39e9c 60 API calls Mailbox 99088->99156 99158 cad95d 107 API calls _free 99088->99158 99090 c399b1 99089->99090 99091 c399ab 99089->99091 99092 c6f9fc __i64tow 99090->99092 99093 c399f9 99090->99093 99094 c399b7 __itow 99090->99094 99098 c6f903 99090->99098 99091->99067 99107 cadab9 99091->99107 99163 c538d8 83 API calls 3 library calls 99093->99163 99097 c50ff6 Mailbox 59 API calls 99094->99097 99099 c399d1 99097->99099 99100 c50ff6 Mailbox 59 API calls 99098->99100 99102 c6f97b Mailbox _wcscpy 99098->99102 99099->99091 99159 c37f41 99099->99159 99103 c6f948 99100->99103 99164 c538d8 83 API calls 3 library calls 99102->99164 99104 c50ff6 Mailbox 59 API calls 99103->99104 99105 c6f96e 99104->99105 99105->99102 99106 c37f41 59 API calls 99105->99106 99106->99102 99108 c37faf 59 API calls 99107->99108 99109 cadad4 CharLowerBuffW 99108->99109 99165 c8f658 99109->99165 99116 cadb24 99117 c37e8c 59 API calls 99116->99117 99118 cadb30 Mailbox 99117->99118 99119 cadb6c Mailbox 99118->99119 99190 cad2f3 61 API calls 2 library calls 99118->99190 99119->99068 99121 cacc9d 99120->99121 99125 caccf2 99120->99125 99122 c50ff6 Mailbox 59 API calls 99121->99122 99124 caccbf 99122->99124 99123 c50ff6 Mailbox 59 API calls 99123->99124 99124->99123 99124->99125 99126 cadd64 99125->99126 99127 cadf8d Mailbox 99126->99127 99134 cadd87 _strcat _wcscpy __wsetenvp 99126->99134 99127->99066 99128 c39d46 59 API calls 99128->99134 99129 c39cf8 59 API calls 99129->99134 99130 c39c9c 59 API calls 99130->99134 99131 c39997 84 API calls 99131->99134 99132 c5594c 58 API calls __malloc_crt 99132->99134 99134->99127 99134->99128 99134->99129 99134->99130 99134->99131 99134->99132 99194 c95b29 61 API calls 2 library calls 99134->99194 99137 c50e5d 99135->99137 99136 c50ef5 VirtualProtect 99138 c50ec3 99136->99138 99137->99136 99137->99138 99138->99071 99138->99072 99139->99068 99140->99068 99141->99075 99143 c39436 99142->99143 99144 c50ff6 Mailbox 59 API calls 99143->99144 99145 c39444 99144->99145 99146 c39450 99145->99146 99195 c3935c 59 API calls Mailbox 99145->99195 99148 c391b0 99146->99148 99196 c392c0 99148->99196 99150 c50ff6 Mailbox 59 API calls 99151 c3925b 99150->99151 99151->99088 99153 c38ea0 59 API calls Mailbox 99151->99153 99152 c391bf 99152->99150 99152->99151 99153->99082 99154->99088 99155->99088 99156->99088 99157->99058 99158->99088 99160 c37f50 __wsetenvp _memmove 99159->99160 99161 c50ff6 Mailbox 59 API calls 99160->99161 99162 c37f8e 99161->99162 99162->99091 99163->99094 99164->99092 99166 c8f683 __wsetenvp 99165->99166 99167 c8f6c2 99166->99167 99168 c8f6b8 99166->99168 99169 c8f769 99166->99169 99167->99118 99172 c377c7 99167->99172 99168->99167 99191 c37a24 61 API calls 99168->99191 99169->99167 99192 c37a24 61 API calls 99169->99192 99173 c50ff6 Mailbox 59 API calls 99172->99173 99174 c377e8 99173->99174 99175 c50ff6 Mailbox 59 API calls 99174->99175 99176 c377f6 99175->99176 99177 c379ab 99176->99177 99178 c37a17 99177->99178 99179 c379ba 99177->99179 99180 c37e8c 59 API calls 99178->99180 99179->99178 99181 c379c5 99179->99181 99186 c379e8 _memmove 99180->99186 99182 c379e0 99181->99182 99183 c6ef32 99181->99183 99193 c38087 59 API calls Mailbox 99182->99193 99184 c38189 59 API calls 99183->99184 99187 c6ef3c 99184->99187 99186->99116 99188 c50ff6 Mailbox 59 API calls 99187->99188 99189 c6ef5c 99188->99189 99190->99119 99191->99168 99192->99169 99193->99186 99194->99134 99195->99146 99197 c392c9 Mailbox 99196->99197 99198 c6f5c8 99197->99198 99203 c392d3 99197->99203 99199 c50ff6 Mailbox 59 API calls 99198->99199 99202 c6f5d4 99199->99202 99200 c392da 99200->99152 99202->99202 99203->99200 99204 c39df0 59 API calls Mailbox 99203->99204 99204->99203 99205 c31066 99210 c3f8cf 99205->99210 99207 c3106c 99243 c52f80 99207->99243 99211 c3f8f0 99210->99211 99246 c50143 99211->99246 99215 c3f937 99216 c377c7 59 API calls 99215->99216 99217 c3f941 99216->99217 99218 c377c7 59 API calls 99217->99218 99219 c3f94b 99218->99219 99220 c377c7 59 API calls 99219->99220 99221 c3f955 99220->99221 99222 c377c7 59 API calls 99221->99222 99223 c3f993 99222->99223 99224 c377c7 59 API calls 99223->99224 99225 c3fa5e 99224->99225 99256 c460e7 99225->99256 99229 c3fa90 99230 c377c7 59 API calls 99229->99230 99231 c3fa9a 99230->99231 99284 c4ffde 99231->99284 99233 c3fae1 99234 c3faf1 GetStdHandle 99233->99234 99235 c749d5 99234->99235 99236 c3fb3d 99234->99236 99235->99236 99238 c749de 99235->99238 99237 c3fb45 OleInitialize 99236->99237 99237->99207 99291 c96dda 64 API calls Mailbox 99238->99291 99240 c749e5 99292 c974a9 CreateThread 99240->99292 99242 c749f1 CloseHandle 99242->99237 99305 c52e84 99243->99305 99245 c31076 99293 c5021c 99246->99293 99249 c5021c 59 API calls 99250 c50185 99249->99250 99251 c377c7 59 API calls 99250->99251 99252 c50191 99251->99252 99253 c37d2c 59 API calls 99252->99253 99254 c3f8f6 99253->99254 99255 c503a2 6 API calls 99254->99255 99255->99215 99257 c377c7 59 API calls 99256->99257 99258 c460f7 99257->99258 99259 c377c7 59 API calls 99258->99259 99260 c460ff 99259->99260 99300 c45bfd 99260->99300 99263 c45bfd 59 API calls 99264 c4610f 99263->99264 99265 c377c7 59 API calls 99264->99265 99266 c4611a 99265->99266 99267 c50ff6 Mailbox 59 API calls 99266->99267 99268 c3fa68 99267->99268 99269 c46259 99268->99269 99270 c46267 99269->99270 99271 c377c7 59 API calls 99270->99271 99272 c46272 99271->99272 99273 c377c7 59 API calls 99272->99273 99274 c4627d 99273->99274 99275 c377c7 59 API calls 99274->99275 99276 c46288 99275->99276 99277 c377c7 59 API calls 99276->99277 99278 c46293 99277->99278 99279 c45bfd 59 API calls 99278->99279 99280 c4629e 99279->99280 99281 c50ff6 Mailbox 59 API calls 99280->99281 99282 c462a5 RegisterWindowMessageW 99281->99282 99282->99229 99285 c4ffee 99284->99285 99286 c85cc3 99284->99286 99287 c50ff6 Mailbox 59 API calls 99285->99287 99303 c99d71 60 API calls 99286->99303 99289 c4fff6 99287->99289 99289->99233 99290 c85cce 99291->99240 99292->99242 99304 c9748f 65 API calls 99292->99304 99294 c377c7 59 API calls 99293->99294 99295 c50227 99294->99295 99296 c377c7 59 API calls 99295->99296 99297 c5022f 99296->99297 99298 c377c7 59 API calls 99297->99298 99299 c5017b 99298->99299 99299->99249 99301 c377c7 59 API calls 99300->99301 99302 c45c05 99301->99302 99302->99263 99303->99290 99306 c52e90 __fcloseall 99305->99306 99313 c53457 99306->99313 99312 c52eb7 __fcloseall 99312->99245 99330 c59e4b 99313->99330 99315 c52e99 99316 c52ec8 DecodePointer DecodePointer 99315->99316 99317 c52ef5 99316->99317 99318 c52ea5 99316->99318 99317->99318 99376 c589e4 59 API calls __swprintf 99317->99376 99327 c52ec2 99318->99327 99320 c52f07 99321 c52f58 EncodePointer EncodePointer 99320->99321 99322 c52f2c 99320->99322 99377 c58aa4 61 API calls 2 library calls 99320->99377 99321->99318 99322->99318 99325 c52f46 EncodePointer 99322->99325 99378 c58aa4 61 API calls 2 library calls 99322->99378 99325->99321 99326 c52f40 99326->99318 99326->99325 99379 c53460 99327->99379 99331 c59e5c 99330->99331 99332 c59e6f EnterCriticalSection 99330->99332 99337 c59ed3 99331->99337 99332->99315 99334 c59e62 99334->99332 99361 c532f5 58 API calls 3 library calls 99334->99361 99338 c59edf __fcloseall 99337->99338 99339 c59f00 99338->99339 99340 c59ee8 99338->99340 99353 c59f21 __fcloseall 99339->99353 99365 c58a5d 58 API calls __malloc_crt 99339->99365 99362 c5a3ab 58 API calls 2 library calls 99340->99362 99343 c59eed 99363 c5a408 58 API calls 8 library calls 99343->99363 99345 c59f15 99347 c59f1c 99345->99347 99348 c59f2b 99345->99348 99346 c59ef4 99364 c532df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 99346->99364 99366 c58d68 58 API calls __getptd_noexit 99347->99366 99351 c59e4b __lock 58 API calls 99348->99351 99354 c59f32 99351->99354 99353->99334 99355 c59f57 99354->99355 99356 c59f3f 99354->99356 99368 c52f95 99355->99368 99367 c5a06b InitializeCriticalSectionAndSpinCount 99356->99367 99359 c59f4b 99374 c59f73 LeaveCriticalSection _doexit 99359->99374 99362->99343 99363->99346 99365->99345 99366->99353 99367->99359 99369 c52f9e RtlFreeHeap 99368->99369 99373 c52fc7 _free 99368->99373 99370 c52fb3 99369->99370 99369->99373 99375 c58d68 58 API calls __getptd_noexit 99370->99375 99372 c52fb9 GetLastError 99372->99373 99373->99359 99374->99353 99375->99372 99376->99320 99377->99322 99378->99326 99382 c59fb5 LeaveCriticalSection 99379->99382 99381 c52ec7 99381->99312 99382->99381 99383 c31016 99388 c34ad2 99383->99388 99386 c52f80 __cinit 67 API calls 99387 c31025 99386->99387 99389 c50ff6 Mailbox 59 API calls 99388->99389 99390 c34ada 99389->99390 99391 c3101b 99390->99391 99395 c34a94 99390->99395 99391->99386 99396 c34aaf 99395->99396 99397 c34a9d 99395->99397 99399 c34afe 99396->99399 99398 c52f80 __cinit 67 API calls 99397->99398 99398->99396 99400 c377c7 59 API calls 99399->99400 99401 c34b16 GetVersionExW 99400->99401 99402 c37d2c 59 API calls 99401->99402 99403 c34b59 99402->99403 99404 c37e8c 59 API calls 99403->99404 99408 c34b86 99403->99408 99405 c34b7a 99404->99405 99427 c37886 99405->99427 99407 c34bf1 GetCurrentProcess IsWow64Process 99410 c34c0a 99407->99410 99408->99407 99409 c6dc8d 99408->99409 99411 c34c20 99410->99411 99412 c34c89 GetSystemInfo 99410->99412 99423 c34c95 99411->99423 99413 c34c56 99412->99413 99413->99391 99416 c34c32 99418 c34c95 2 API calls 99416->99418 99417 c34c7d GetSystemInfo 99419 c34c47 99417->99419 99420 c34c3a GetNativeSystemInfo 99418->99420 99419->99413 99421 c34c4d FreeLibrary 99419->99421 99420->99419 99421->99413 99424 c34c2e 99423->99424 99425 c34c9e LoadLibraryA 99423->99425 99424->99416 99424->99417 99425->99424 99426 c34caf GetProcAddress 99425->99426 99426->99424 99428 c37894 99427->99428 99429 c37e8c 59 API calls 99428->99429 99430 c378a4 99429->99430 99430->99408 99431 c57e93 99432 c57e9f __fcloseall 99431->99432 99468 c5a048 GetStartupInfoW 99432->99468 99434 c57ea4 99470 c58dbc GetProcessHeap 99434->99470 99436 c57efc 99437 c57f07 99436->99437 99553 c57fe3 58 API calls 3 library calls 99436->99553 99471 c59d26 99437->99471 99440 c57f0d 99441 c57f18 __RTC_Initialize 99440->99441 99554 c57fe3 58 API calls 3 library calls 99440->99554 99492 c5d812 99441->99492 99444 c57f27 99445 c57f33 GetCommandLineW 99444->99445 99555 c57fe3 58 API calls 3 library calls 99444->99555 99511 c65173 GetEnvironmentStringsW 99445->99511 99448 c57f32 99448->99445 99451 c57f4d 99452 c57f58 99451->99452 99556 c532f5 58 API calls 3 library calls 99451->99556 99521 c64fa8 99452->99521 99455 c57f5e 99456 c57f69 99455->99456 99557 c532f5 58 API calls 3 library calls 99455->99557 99535 c5332f 99456->99535 99459 c57f71 99460 c57f7c __wwincmdln 99459->99460 99558 c532f5 58 API calls 3 library calls 99459->99558 99541 c3492e 99460->99541 99463 c57f90 99464 c57f9f 99463->99464 99559 c53598 58 API calls _doexit 99463->99559 99560 c53320 58 API calls _doexit 99464->99560 99467 c57fa4 __fcloseall 99469 c5a05e 99468->99469 99469->99434 99470->99436 99561 c533c7 36 API calls 2 library calls 99471->99561 99473 c59d2b 99562 c59f7c InitializeCriticalSectionAndSpinCount __mtinitlocks 99473->99562 99475 c59d30 99476 c59d34 99475->99476 99564 c59fca TlsAlloc 99475->99564 99563 c59d9c 61 API calls 2 library calls 99476->99563 99479 c59d39 99479->99440 99480 c59d46 99480->99476 99481 c59d51 99480->99481 99565 c58a15 99481->99565 99484 c59d93 99573 c59d9c 61 API calls 2 library calls 99484->99573 99487 c59d72 99487->99484 99489 c59d78 99487->99489 99488 c59d98 99488->99440 99572 c59c73 58 API calls 4 library calls 99489->99572 99491 c59d80 GetCurrentThreadId 99491->99440 99493 c5d81e __fcloseall 99492->99493 99494 c59e4b __lock 58 API calls 99493->99494 99495 c5d825 99494->99495 99496 c58a15 __calloc_crt 58 API calls 99495->99496 99498 c5d836 99496->99498 99497 c5d8a1 GetStartupInfoW 99505 c5d8b6 99497->99505 99506 c5d9e5 99497->99506 99498->99497 99499 c5d841 __fcloseall @_EH4_CallFilterFunc@8 99498->99499 99499->99444 99500 c5daad 99587 c5dabd LeaveCriticalSection _doexit 99500->99587 99502 c58a15 __calloc_crt 58 API calls 99502->99505 99503 c5da32 GetStdHandle 99503->99506 99504 c5da45 GetFileType 99504->99506 99505->99502 99505->99506 99507 c5d904 99505->99507 99506->99500 99506->99503 99506->99504 99586 c5a06b InitializeCriticalSectionAndSpinCount 99506->99586 99507->99506 99508 c5d938 GetFileType 99507->99508 99585 c5a06b InitializeCriticalSectionAndSpinCount 99507->99585 99508->99507 99512 c57f43 99511->99512 99513 c65184 99511->99513 99517 c64d6b GetModuleFileNameW 99512->99517 99588 c58a5d 58 API calls __malloc_crt 99513->99588 99515 c651aa _memmove 99516 c651c0 FreeEnvironmentStringsW 99515->99516 99516->99512 99518 c64d9f _wparse_cmdline 99517->99518 99520 c64ddf _wparse_cmdline 99518->99520 99589 c58a5d 58 API calls __malloc_crt 99518->99589 99520->99451 99522 c64fb9 99521->99522 99524 c64fc1 __wsetenvp 99521->99524 99522->99455 99523 c58a15 __calloc_crt 58 API calls 99531 c64fea __wsetenvp 99523->99531 99524->99523 99525 c65041 99526 c52f95 _free 58 API calls 99525->99526 99526->99522 99527 c58a15 __calloc_crt 58 API calls 99527->99531 99528 c65066 99529 c52f95 _free 58 API calls 99528->99529 99529->99522 99531->99522 99531->99525 99531->99527 99531->99528 99532 c6507d 99531->99532 99590 c64857 58 API calls __swprintf 99531->99590 99591 c59006 IsProcessorFeaturePresent 99532->99591 99534 c65089 99534->99455 99537 c5333b __IsNonwritableInCurrentImage 99535->99537 99614 c5a711 99537->99614 99538 c53359 __initterm_e 99539 c52f80 __cinit 67 API calls 99538->99539 99540 c53378 _doexit __IsNonwritableInCurrentImage 99538->99540 99539->99540 99540->99459 99542 c34948 99541->99542 99552 c349e7 99541->99552 99543 c34982 IsThemeActive 99542->99543 99617 c535ac 99543->99617 99547 c349ae 99629 c34a5b SystemParametersInfoW SystemParametersInfoW 99547->99629 99549 c349ba 99630 c33b4c 99549->99630 99551 c349c2 SystemParametersInfoW 99551->99552 99552->99463 99553->99437 99554->99441 99555->99448 99559->99464 99560->99467 99561->99473 99562->99475 99563->99479 99564->99480 99566 c58a1c 99565->99566 99568 c58a57 99566->99568 99570 c58a3a 99566->99570 99574 c65446 99566->99574 99568->99484 99571 c5a026 TlsSetValue 99568->99571 99570->99566 99570->99568 99582 c5a372 Sleep 99570->99582 99571->99487 99572->99491 99573->99488 99575 c65451 99574->99575 99580 c6546c 99574->99580 99576 c6545d 99575->99576 99575->99580 99583 c58d68 58 API calls __getptd_noexit 99576->99583 99578 c6547c RtlAllocateHeap 99579 c65462 99578->99579 99578->99580 99579->99566 99580->99578 99580->99579 99584 c535e1 DecodePointer 99580->99584 99582->99570 99583->99579 99584->99580 99585->99507 99586->99506 99587->99499 99588->99515 99589->99520 99590->99531 99592 c59011 99591->99592 99597 c58e99 99592->99597 99596 c5902c 99596->99534 99598 c58eb3 _memset ___raise_securityfailure 99597->99598 99599 c58ed3 IsDebuggerPresent 99598->99599 99605 c5a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 99599->99605 99602 c58f97 ___raise_securityfailure 99606 c5c836 99602->99606 99603 c58fba 99604 c5a380 GetCurrentProcess TerminateProcess 99603->99604 99604->99596 99605->99602 99607 c5c840 IsProcessorFeaturePresent 99606->99607 99608 c5c83e 99606->99608 99610 c65b5a 99607->99610 99608->99603 99613 c65b09 5 API calls 2 library calls 99610->99613 99612 c65c3d 99612->99603 99613->99612 99615 c5a714 EncodePointer 99614->99615 99615->99615 99616 c5a72e 99615->99616 99616->99538 99618 c59e4b __lock 58 API calls 99617->99618 99619 c535b7 DecodePointer EncodePointer 99618->99619 99682 c59fb5 LeaveCriticalSection 99619->99682 99621 c349a7 99622 c53614 99621->99622 99623 c5361e 99622->99623 99624 c53638 99622->99624 99623->99624 99683 c58d68 58 API calls __getptd_noexit 99623->99683 99624->99547 99626 c53628 99684 c58ff6 9 API calls __swprintf 99626->99684 99628 c53633 99628->99547 99629->99549 99631 c33b59 __write_nolock 99630->99631 99632 c377c7 59 API calls 99631->99632 99633 c33b63 GetCurrentDirectoryW 99632->99633 99685 c33778 99633->99685 99635 c33b8c IsDebuggerPresent 99636 c33b9a 99635->99636 99637 c6d4ad MessageBoxA 99635->99637 99639 c6d4c7 99636->99639 99640 c33bb7 99636->99640 99669 c33c73 99636->99669 99637->99639 99638 c33c7a SetCurrentDirectoryW 99641 c33c87 Mailbox 99638->99641 99884 c37373 59 API calls Mailbox 99639->99884 99766 c373e5 99640->99766 99641->99551 99644 c6d4d7 99649 c6d4ed SetCurrentDirectoryW 99644->99649 99646 c33bd5 GetFullPathNameW 99647 c37d2c 59 API calls 99646->99647 99648 c33c10 99647->99648 99782 c40a8d 99648->99782 99649->99641 99652 c33c2e 99653 c33c38 99652->99653 99885 c94c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 99652->99885 99798 c33a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 99653->99798 99656 c6d50a 99656->99653 99659 c6d51b 99656->99659 99886 c34864 99659->99886 99660 c33c42 99662 c33c55 99660->99662 99664 c343db 68 API calls 99660->99664 99806 c40b30 99662->99806 99663 c6d523 99666 c37f41 59 API calls 99663->99666 99664->99662 99668 c6d530 99666->99668 99667 c33c60 99667->99669 99883 c344cb Shell_NotifyIconW _memset 99667->99883 99670 c6d55f 99668->99670 99671 c6d53a 99668->99671 99669->99638 99673 c37e0b 59 API calls 99670->99673 99674 c37e0b 59 API calls 99671->99674 99675 c6d55b GetForegroundWindow ShellExecuteW 99673->99675 99676 c6d545 99674->99676 99679 c6d58f Mailbox 99675->99679 99678 c37c8e 59 API calls 99676->99678 99680 c6d552 99678->99680 99679->99669 99681 c37e0b 59 API calls 99680->99681 99681->99675 99682->99621 99683->99626 99684->99628 99686 c377c7 59 API calls 99685->99686 99687 c3378e 99686->99687 99893 c33d43 99687->99893 99689 c337ac 99690 c34864 61 API calls 99689->99690 99691 c337c0 99690->99691 99692 c37f41 59 API calls 99691->99692 99693 c337cd 99692->99693 99907 c34f3d 99693->99907 99696 c6d3ae 99963 c997e5 99696->99963 99697 c337ee Mailbox 99701 c381a7 59 API calls 99697->99701 99700 c6d3cd 99703 c52f95 _free 58 API calls 99700->99703 99704 c33801 99701->99704 99705 c6d3da 99703->99705 99931 c393ea 99704->99931 99707 c34faa 84 API calls 99705->99707 99709 c6d3e3 99707->99709 99713 c33ee2 59 API calls 99709->99713 99710 c37f41 59 API calls 99711 c3381a 99710->99711 99934 c38620 99711->99934 99715 c6d3fe 99713->99715 99714 c3382c Mailbox 99716 c37f41 59 API calls 99714->99716 99717 c33ee2 59 API calls 99715->99717 99718 c33852 99716->99718 99719 c6d41a 99717->99719 99720 c38620 69 API calls 99718->99720 99722 c34864 61 API calls 99719->99722 99721 c33861 Mailbox 99720->99721 99726 c377c7 59 API calls 99721->99726 99723 c6d43f 99722->99723 99724 c33ee2 59 API calls 99723->99724 99725 c6d44b 99724->99725 99727 c381a7 59 API calls 99725->99727 99728 c3387f 99726->99728 99729 c6d459 99727->99729 99938 c33ee2 99728->99938 99731 c33ee2 59 API calls 99729->99731 99733 c6d468 99731->99733 99739 c381a7 59 API calls 99733->99739 99735 c33899 99735->99709 99736 c338a3 99735->99736 99737 c5313d _W_store_winword 60 API calls 99736->99737 99738 c338ae 99737->99738 99738->99715 99740 c338b8 99738->99740 99741 c6d48a 99739->99741 99742 c5313d _W_store_winword 60 API calls 99740->99742 99743 c33ee2 59 API calls 99741->99743 99744 c338c3 99742->99744 99745 c6d497 99743->99745 99744->99719 99746 c338cd 99744->99746 99745->99745 99747 c5313d _W_store_winword 60 API calls 99746->99747 99748 c338d8 99747->99748 99748->99733 99749 c33919 99748->99749 99751 c33ee2 59 API calls 99748->99751 99749->99733 99750 c33926 99749->99750 99752 c3942e 59 API calls 99750->99752 99753 c338fc 99751->99753 99754 c33936 99752->99754 99755 c381a7 59 API calls 99753->99755 99756 c391b0 59 API calls 99754->99756 99757 c3390a 99755->99757 99758 c33944 99756->99758 99759 c33ee2 59 API calls 99757->99759 99954 c39040 99758->99954 99759->99749 99761 c393ea 59 API calls 99763 c33961 99761->99763 99762 c39040 60 API calls 99762->99763 99763->99761 99763->99762 99764 c33ee2 59 API calls 99763->99764 99765 c339a7 Mailbox 99763->99765 99764->99763 99765->99635 99767 c373f2 __write_nolock 99766->99767 99768 c3740b 99767->99768 99769 c6ee4b _memset 99767->99769 100581 c348ae 99768->100581 99772 c6ee67 GetOpenFileNameW 99769->99772 99774 c6eeb6 99772->99774 99775 c37d2c 59 API calls 99774->99775 99777 c6eecb 99775->99777 99777->99777 99779 c37429 100609 c369ca 99779->100609 99783 c40a9a __write_nolock 99782->99783 100843 c36ee0 99783->100843 99785 c40a9f 99797 c33c26 99785->99797 100854 c412fe 89 API calls 99785->100854 99787 c40aac 99787->99797 100855 c44047 91 API calls Mailbox 99787->100855 99789 c40ab5 99790 c40ab9 GetFullPathNameW 99789->99790 99789->99797 99791 c37d2c 59 API calls 99790->99791 99792 c40ae5 99791->99792 99793 c37d2c 59 API calls 99792->99793 99794 c40af2 99793->99794 99795 c750d5 _wcscat 99794->99795 99796 c37d2c 59 API calls 99794->99796 99796->99797 99797->99644 99797->99652 99799 c33ac2 LoadImageW RegisterClassExW 99798->99799 99800 c6d49c 99798->99800 100892 c33041 7 API calls 99799->100892 100893 c348fe LoadImageW EnumResourceNamesW 99800->100893 99803 c33b46 99805 c339e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 99803->99805 99804 c6d4a5 99805->99660 99807 c750ed 99806->99807 99821 c40b55 99806->99821 100950 c9a0b5 89 API calls 4 library calls 99807->100950 99809 c40e5a 99809->99667 99811 c41044 99811->99809 99813 c41051 99811->99813 100948 c411f3 331 API calls Mailbox 99813->100948 99814 c40bab PeekMessageW 99882 c40b65 Mailbox 99814->99882 99816 c41058 LockWindowUpdate DestroyWindow GetMessageW 99816->99809 99819 c4108a 99816->99819 99818 c752ab Sleep 99818->99882 99823 c76082 TranslateMessage DispatchMessageW GetMessageW 99819->99823 99820 c40e44 99820->99809 100947 c411d0 10 API calls Mailbox 99820->100947 99821->99882 100951 c39fbd 60 API calls 99821->100951 100952 c868bf 331 API calls 99821->100952 99823->99823 99824 c760b2 99823->99824 99824->99809 99825 c40fa3 PeekMessageW 99825->99882 99826 c40fbf TranslateMessage DispatchMessageW 99826->99825 99827 c7517a TranslateAcceleratorW 99827->99825 99827->99882 99828 c40e73 timeGetTime 99828->99882 99829 c75c49 WaitForSingleObject 99831 c75c66 GetExitCodeProcess CloseHandle 99829->99831 99829->99882 99868 c410f5 99831->99868 99832 c40fdd Sleep 99867 c40fee Mailbox 99832->99867 99833 c381a7 59 API calls 99833->99882 99834 c377c7 59 API calls 99834->99867 99835 c75f22 Sleep 99835->99867 99837 c50ff6 59 API calls Mailbox 99837->99882 99839 c50719 timeGetTime 99839->99867 99840 c410ae timeGetTime 100949 c39fbd 60 API calls 99840->100949 99843 c75fb9 GetExitCodeProcess 99847 c75fe5 CloseHandle 99843->99847 99848 c75fcf WaitForSingleObject 99843->99848 99844 c39997 84 API calls 99844->99882 99845 cb61ac 110 API calls 99845->99867 99846 c3b93d 109 API calls 99846->99867 99847->99867 99848->99847 99848->99882 99850 c3b89c 304 API calls 99850->99882 99852 c75c9e 99852->99868 99853 c39fbd 60 API calls 99853->99882 99854 c754a2 Sleep 99854->99882 99855 c76041 Sleep 99855->99882 99857 c37f41 59 API calls 99857->99867 99861 c3a000 304 API calls 99861->99882 99867->99834 99867->99839 99867->99843 99867->99845 99867->99846 99867->99852 99867->99854 99867->99855 99867->99857 99867->99868 99867->99882 100959 c928f7 60 API calls 99867->100959 100960 c39fbd 60 API calls 99867->100960 100961 c38b13 69 API calls Mailbox 99867->100961 100962 c3b89c 331 API calls 99867->100962 100963 c86a50 60 API calls 99867->100963 100964 c954e6 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 99867->100964 100965 c93e91 66 API calls Mailbox 99867->100965 99868->99667 99869 c9a0b5 89 API calls 99869->99882 99870 c38620 69 API calls 99870->99882 99872 c39df0 59 API calls Mailbox 99872->99882 99874 c866f4 59 API calls Mailbox 99874->99882 99875 c37f41 59 API calls 99875->99882 99876 c38b13 69 API calls 99876->99882 99877 c759ff VariantClear 99877->99882 99878 c75a95 VariantClear 99878->99882 99879 c75843 VariantClear 99879->99882 99880 c87405 59 API calls 99880->99882 99881 c38e34 59 API calls Mailbox 99881->99882 99882->99814 99882->99818 99882->99820 99882->99825 99882->99826 99882->99827 99882->99828 99882->99829 99882->99832 99882->99833 99882->99835 99882->99837 99882->99840 99882->99844 99882->99850 99882->99853 99882->99861 99882->99867 99882->99868 99882->99869 99882->99870 99882->99872 99882->99874 99882->99875 99882->99876 99882->99877 99882->99878 99882->99879 99882->99880 99882->99881 100894 c3e800 99882->100894 100925 c3f5c0 99882->100925 100944 c3e580 331 API calls 99882->100944 100945 c3fe40 331 API calls 2 library calls 99882->100945 100946 c331ce IsDialogMessageW GetClassLongW 99882->100946 100953 cb629f 59 API calls 99882->100953 100954 c99c9f 59 API calls Mailbox 99882->100954 100955 c8d9e3 59 API calls 99882->100955 100956 c86665 59 API calls 2 library calls 99882->100956 100957 c38561 59 API calls 99882->100957 100958 c3843f 59 API calls Mailbox 99882->100958 99883->99669 99884->99644 99885->99656 99887 c61b90 __write_nolock 99886->99887 99888 c34871 GetModuleFileNameW 99887->99888 99889 c37f41 59 API calls 99888->99889 99890 c34897 99889->99890 99891 c348ae 60 API calls 99890->99891 99892 c348a1 Mailbox 99891->99892 99892->99663 99894 c33d50 __write_nolock 99893->99894 99895 c37d2c 59 API calls 99894->99895 99897 c33eb6 Mailbox 99894->99897 99898 c33d82 99895->99898 99897->99689 99905 c33db8 Mailbox 99898->99905 100004 c37b52 99898->100004 99899 c33e89 99899->99897 99900 c37f41 59 API calls 99899->99900 99902 c33eaa 99900->99902 99901 c37f41 59 API calls 99901->99905 99903 c33f84 59 API calls 99902->99903 99903->99897 99905->99897 99905->99899 99905->99901 99906 c37b52 59 API calls 99905->99906 100007 c33f84 99905->100007 99906->99905 100013 c34d13 99907->100013 99912 c6dd0f 99915 c34faa 84 API calls 99912->99915 99913 c34f68 LoadLibraryExW 100023 c34cc8 99913->100023 99917 c6dd16 99915->99917 99919 c34cc8 3 API calls 99917->99919 99920 c6dd1e 99919->99920 100049 c3506b 99920->100049 99921 c34f8f 99921->99920 99922 c34f9b 99921->99922 99924 c34faa 84 API calls 99922->99924 99926 c337e6 99924->99926 99926->99696 99926->99697 99928 c6dd45 100057 c35027 99928->100057 99930 c6dd52 99932 c50ff6 Mailbox 59 API calls 99931->99932 99933 c3380d 99932->99933 99933->99710 99935 c3862b 99934->99935 99937 c38652 99935->99937 100311 c38b13 69 API calls Mailbox 99935->100311 99937->99714 99939 c33f05 99938->99939 99940 c33eec 99938->99940 99942 c37d2c 59 API calls 99939->99942 99941 c381a7 59 API calls 99940->99941 99943 c3388b 99941->99943 99942->99943 99944 c5313d 99943->99944 99945 c531be 99944->99945 99946 c53149 99944->99946 100314 c531d0 60 API calls 3 library calls 99945->100314 99952 c5316e 99946->99952 100312 c58d68 58 API calls __getptd_noexit 99946->100312 99949 c531cb 99949->99735 99950 c53155 100313 c58ff6 9 API calls __swprintf 99950->100313 99952->99735 99953 c53160 99953->99735 99955 c6f5a5 99954->99955 99957 c39057 99954->99957 99955->99957 100316 c38d3b 59 API calls Mailbox 99955->100316 99958 c391a0 99957->99958 99959 c39158 99957->99959 99962 c3915f 99957->99962 100315 c39e9c 60 API calls Mailbox 99958->100315 99961 c50ff6 Mailbox 59 API calls 99959->99961 99961->99962 99962->99763 99964 c35045 85 API calls 99963->99964 99965 c99854 99964->99965 100317 c999be 99965->100317 99968 c3506b 74 API calls 99969 c99881 99968->99969 99970 c3506b 74 API calls 99969->99970 99971 c99891 99970->99971 99972 c3506b 74 API calls 99971->99972 99973 c998ac 99972->99973 99974 c3506b 74 API calls 99973->99974 99975 c998c7 99974->99975 99976 c35045 85 API calls 99975->99976 99977 c998de 99976->99977 99978 c5594c __malloc_crt 58 API calls 99977->99978 99979 c998e5 99978->99979 99980 c5594c __malloc_crt 58 API calls 99979->99980 99981 c998ef 99980->99981 99982 c3506b 74 API calls 99981->99982 99983 c99903 99982->99983 99984 c99393 GetSystemTimeAsFileTime 99983->99984 99985 c99916 99984->99985 99986 c9992b 99985->99986 99987 c99940 99985->99987 99988 c52f95 _free 58 API calls 99986->99988 99989 c999a5 99987->99989 99990 c99946 99987->99990 99992 c99931 99988->99992 99991 c52f95 _free 58 API calls 99989->99991 100323 c98d90 116 API calls __fcloseall 99990->100323 99996 c6d3c1 99991->99996 99994 c52f95 _free 58 API calls 99992->99994 99994->99996 99995 c9999d 99997 c52f95 _free 58 API calls 99995->99997 99996->99700 99998 c34faa 99996->99998 99997->99996 99999 c34fb4 99998->99999 100001 c34fbb 99998->100001 100324 c555d6 99999->100324 100002 c34fdb FreeLibrary 100001->100002 100003 c34fca 100001->100003 100002->100003 100003->99700 100005 c37faf 59 API calls 100004->100005 100006 c37b5d 100005->100006 100006->99898 100008 c33f92 100007->100008 100012 c33fb4 _memmove 100007->100012 100011 c50ff6 Mailbox 59 API calls 100008->100011 100009 c50ff6 Mailbox 59 API calls 100010 c33fc8 100009->100010 100010->99905 100011->100012 100012->100009 100062 c34d61 100013->100062 100016 c34d61 2 API calls 100019 c34d3a 100016->100019 100017 c34d53 100020 c5548b 100017->100020 100018 c34d4a FreeLibrary 100018->100017 100019->100017 100019->100018 100066 c554a0 100020->100066 100022 c34f5c 100022->99912 100022->99913 100226 c34d94 100023->100226 100026 c34ced 100028 c34d08 100026->100028 100029 c34cff FreeLibrary 100026->100029 100027 c34d94 2 API calls 100027->100026 100030 c34dd0 100028->100030 100029->100028 100031 c50ff6 Mailbox 59 API calls 100030->100031 100032 c34de5 100031->100032 100230 c3538e 100032->100230 100034 c34df1 _memmove 100036 c34f21 100034->100036 100037 c34ee9 100034->100037 100040 c34e2c 100034->100040 100035 c35027 69 API calls 100046 c34e35 100035->100046 100244 c99ba5 95 API calls 100036->100244 100233 c34fe9 CreateStreamOnHGlobal 100037->100233 100040->100035 100041 c3506b 74 API calls 100041->100046 100043 c34ec9 100043->99921 100044 c6dcd0 100045 c35045 85 API calls 100044->100045 100047 c6dce4 100045->100047 100046->100041 100046->100043 100046->100044 100239 c35045 100046->100239 100048 c3506b 74 API calls 100047->100048 100048->100043 100050 c6ddf6 100049->100050 100051 c3507d 100049->100051 100268 c55812 100051->100268 100054 c99393 100288 c991e9 100054->100288 100056 c993a9 100056->99928 100058 c35036 100057->100058 100061 c6ddb9 100057->100061 100293 c55e90 100058->100293 100060 c3503e 100060->99930 100063 c34d2e 100062->100063 100064 c34d6a LoadLibraryA 100062->100064 100063->100016 100063->100019 100064->100063 100065 c34d7b GetProcAddress 100064->100065 100065->100063 100067 c554ac __fcloseall 100066->100067 100068 c554bf 100067->100068 100071 c554f0 100067->100071 100115 c58d68 58 API calls __getptd_noexit 100068->100115 100070 c554c4 100116 c58ff6 9 API calls __swprintf 100070->100116 100085 c60738 100071->100085 100074 c554f5 100075 c554fe 100074->100075 100076 c5550b 100074->100076 100117 c58d68 58 API calls __getptd_noexit 100075->100117 100078 c55535 100076->100078 100079 c55515 100076->100079 100100 c60857 100078->100100 100118 c58d68 58 API calls __getptd_noexit 100079->100118 100080 c554cf __fcloseall @_EH4_CallFilterFunc@8 100080->100022 100086 c60744 __fcloseall 100085->100086 100087 c59e4b __lock 58 API calls 100086->100087 100094 c60752 100087->100094 100088 c607c6 100120 c6084e 100088->100120 100089 c607cd 100125 c58a5d 58 API calls __malloc_crt 100089->100125 100092 c607d4 100092->100088 100126 c5a06b InitializeCriticalSectionAndSpinCount 100092->100126 100093 c60843 __fcloseall 100093->100074 100094->100088 100094->100089 100096 c59ed3 __mtinitlocknum 58 API calls 100094->100096 100123 c56e8d 59 API calls __lock 100094->100123 100124 c56ef7 LeaveCriticalSection LeaveCriticalSection _doexit 100094->100124 100096->100094 100098 c607fa EnterCriticalSection 100098->100088 100108 c60877 __wopenfile 100100->100108 100101 c60891 100131 c58d68 58 API calls __getptd_noexit 100101->100131 100103 c60896 100132 c58ff6 9 API calls __swprintf 100103->100132 100105 c55540 100119 c55562 LeaveCriticalSection LeaveCriticalSection _fprintf 100105->100119 100106 c60aaf 100128 c687f1 100106->100128 100108->100101 100114 c60a4c 100108->100114 100133 c53a0b 60 API calls 2 library calls 100108->100133 100110 c60a45 100110->100114 100134 c53a0b 60 API calls 2 library calls 100110->100134 100112 c60a64 100112->100114 100135 c53a0b 60 API calls 2 library calls 100112->100135 100114->100101 100114->100106 100115->100070 100116->100080 100117->100080 100118->100080 100119->100080 100127 c59fb5 LeaveCriticalSection 100120->100127 100122 c60855 100122->100093 100123->100094 100124->100094 100125->100092 100126->100098 100127->100122 100136 c67fd5 100128->100136 100130 c6880a 100130->100105 100131->100103 100132->100105 100133->100110 100134->100112 100135->100114 100138 c67fe1 __fcloseall 100136->100138 100137 c67ff7 100223 c58d68 58 API calls __getptd_noexit 100137->100223 100138->100137 100140 c6802d 100138->100140 100147 c6809e 100140->100147 100141 c67ffc 100224 c58ff6 9 API calls __swprintf 100141->100224 100144 c68049 100225 c68072 LeaveCriticalSection __unlock_fhandle 100144->100225 100146 c68006 __fcloseall 100146->100130 100148 c680be 100147->100148 100149 c5471a __wsopen_nolock 58 API calls 100148->100149 100153 c680da 100149->100153 100150 c68211 100151 c59006 __invoke_watson 8 API calls 100150->100151 100152 c687f0 100151->100152 100155 c67fd5 __wsopen_helper 103 API calls 100152->100155 100153->100150 100154 c68114 100153->100154 100165 c68137 100153->100165 100156 c58d34 __write_nolock 58 API calls 100154->100156 100157 c6880a 100155->100157 100158 c68119 100156->100158 100157->100144 100159 c58d68 __swprintf 58 API calls 100158->100159 100160 c68126 100159->100160 100162 c58ff6 __swprintf 9 API calls 100160->100162 100161 c681f5 100163 c58d34 __write_nolock 58 API calls 100161->100163 100164 c68130 100162->100164 100166 c681fa 100163->100166 100164->100144 100165->100161 100170 c681d3 100165->100170 100167 c58d68 __swprintf 58 API calls 100166->100167 100168 c68207 100167->100168 100169 c58ff6 __swprintf 9 API calls 100168->100169 100169->100150 100171 c5d4d4 __alloc_osfhnd 61 API calls 100170->100171 100172 c682a1 100171->100172 100173 c682ce 100172->100173 100174 c682ab 100172->100174 100176 c67f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 100173->100176 100175 c58d34 __write_nolock 58 API calls 100174->100175 100177 c682b0 100175->100177 100184 c682f0 100176->100184 100179 c58d68 __swprintf 58 API calls 100177->100179 100178 c6836e GetFileType 100182 c683bb 100178->100182 100183 c68379 GetLastError 100178->100183 100181 c682ba 100179->100181 100180 c6833c GetLastError 100185 c58d47 __dosmaperr 58 API calls 100180->100185 100186 c58d68 __swprintf 58 API calls 100181->100186 100192 c5d76a __set_osfhnd 59 API calls 100182->100192 100187 c58d47 __dosmaperr 58 API calls 100183->100187 100184->100178 100184->100180 100188 c67f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 100184->100188 100189 c68361 100185->100189 100186->100164 100190 c683a0 CloseHandle 100187->100190 100191 c68331 100188->100191 100195 c58d68 __swprintf 58 API calls 100189->100195 100190->100189 100193 c683ae 100190->100193 100191->100178 100191->100180 100197 c683d9 100192->100197 100194 c58d68 __swprintf 58 API calls 100193->100194 100196 c683b3 100194->100196 100195->100150 100196->100189 100198 c68594 100197->100198 100199 c61b11 __lseeki64_nolock 60 API calls 100197->100199 100219 c6845a 100197->100219 100198->100150 100200 c68767 CloseHandle 100198->100200 100201 c68443 100199->100201 100202 c67f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 100200->100202 100205 c58d34 __write_nolock 58 API calls 100201->100205 100221 c68462 100201->100221 100204 c6878e 100202->100204 100203 c610ab 70 API calls __read_nolock 100203->100221 100206 c68796 GetLastError 100204->100206 100207 c6861e 100204->100207 100205->100219 100208 c58d47 __dosmaperr 58 API calls 100206->100208 100207->100150 100209 c687a2 100208->100209 100211 c5d67d __free_osfhnd 59 API calls 100209->100211 100210 c60d2d __close_nolock 61 API calls 100210->100221 100211->100207 100212 c699f2 __chsize_nolock 82 API calls 100212->100221 100213 c5dac6 __write 78 API calls 100213->100219 100214 c68611 100217 c60d2d __close_nolock 61 API calls 100214->100217 100215 c61b11 60 API calls __lseeki64_nolock 100215->100219 100216 c685fa 100216->100198 100220 c68618 100217->100220 100218 c61b11 60 API calls __lseeki64_nolock 100218->100221 100219->100198 100219->100213 100219->100215 100219->100221 100222 c58d68 __swprintf 58 API calls 100220->100222 100221->100203 100221->100210 100221->100212 100221->100214 100221->100216 100221->100218 100221->100219 100222->100207 100223->100141 100224->100146 100225->100146 100227 c34ce1 100226->100227 100228 c34d9d LoadLibraryA 100226->100228 100227->100026 100227->100027 100228->100227 100229 c34dae GetProcAddress 100228->100229 100229->100227 100231 c50ff6 Mailbox 59 API calls 100230->100231 100232 c353a0 100231->100232 100232->100034 100234 c35003 FindResourceExW 100233->100234 100235 c35020 100233->100235 100234->100235 100236 c6dd5c LoadResource 100234->100236 100235->100040 100236->100235 100237 c6dd71 SizeofResource 100236->100237 100237->100235 100238 c6dd85 LockResource 100237->100238 100238->100235 100240 c6ddd4 100239->100240 100241 c35054 100239->100241 100245 c55a7d 100241->100245 100243 c35062 100243->100046 100244->100040 100246 c55a89 __fcloseall 100245->100246 100247 c55a9b 100246->100247 100249 c55ac1 100246->100249 100258 c58d68 58 API calls __getptd_noexit 100247->100258 100260 c56e4e 100249->100260 100251 c55aa0 100259 c58ff6 9 API calls __swprintf 100251->100259 100252 c55ac7 100266 c559ee 83 API calls 5 library calls 100252->100266 100255 c55ad6 100267 c55af8 LeaveCriticalSection LeaveCriticalSection _fprintf 100255->100267 100257 c55aab __fcloseall 100257->100243 100258->100251 100259->100257 100261 c56e80 EnterCriticalSection 100260->100261 100262 c56e5e 100260->100262 100264 c56e76 100261->100264 100262->100261 100263 c56e66 100262->100263 100265 c59e4b __lock 58 API calls 100263->100265 100264->100252 100265->100264 100266->100255 100267->100257 100271 c5582d 100268->100271 100270 c3508e 100270->100054 100272 c55839 __fcloseall 100271->100272 100273 c5587c 100272->100273 100274 c5584f _memset 100272->100274 100275 c55874 __fcloseall 100272->100275 100276 c56e4e __lock_file 59 API calls 100273->100276 100284 c58d68 58 API calls __getptd_noexit 100274->100284 100275->100270 100277 c55882 100276->100277 100286 c5564d 72 API calls 6 library calls 100277->100286 100280 c55869 100285 c58ff6 9 API calls __swprintf 100280->100285 100281 c55898 100287 c558b6 LeaveCriticalSection LeaveCriticalSection _fprintf 100281->100287 100284->100280 100285->100275 100286->100281 100287->100275 100291 c5543a GetSystemTimeAsFileTime 100288->100291 100290 c991f8 100290->100056 100292 c55468 __aulldiv 100291->100292 100292->100290 100294 c55e9c __fcloseall 100293->100294 100295 c55ec3 100294->100295 100296 c55eae 100294->100296 100297 c56e4e __lock_file 59 API calls 100295->100297 100307 c58d68 58 API calls __getptd_noexit 100296->100307 100299 c55ec9 100297->100299 100309 c55b00 67 API calls 6 library calls 100299->100309 100300 c55eb3 100308 c58ff6 9 API calls __swprintf 100300->100308 100303 c55ebe __fcloseall 100303->100060 100304 c55ed4 100310 c55ef4 LeaveCriticalSection LeaveCriticalSection _fprintf 100304->100310 100306 c55ee6 100306->100303 100307->100300 100308->100303 100309->100304 100310->100306 100311->99937 100312->99950 100313->99953 100314->99949 100315->99962 100316->99957 100320 c999d2 __tzset_nolock _wcscmp 100317->100320 100318 c3506b 74 API calls 100318->100320 100319 c99393 GetSystemTimeAsFileTime 100319->100320 100320->100318 100320->100319 100321 c99866 100320->100321 100322 c35045 85 API calls 100320->100322 100321->99968 100321->99996 100322->100320 100323->99995 100325 c555e2 __fcloseall 100324->100325 100326 c555f6 100325->100326 100328 c5560e 100325->100328 100353 c58d68 58 API calls __getptd_noexit 100326->100353 100330 c56e4e __lock_file 59 API calls 100328->100330 100333 c55606 __fcloseall 100328->100333 100329 c555fb 100354 c58ff6 9 API calls __swprintf 100329->100354 100332 c55620 100330->100332 100337 c5556a 100332->100337 100333->100001 100338 c5558d 100337->100338 100339 c55579 100337->100339 100341 c55589 100338->100341 100356 c54c6d 100338->100356 100399 c58d68 58 API calls __getptd_noexit 100339->100399 100355 c55645 LeaveCriticalSection LeaveCriticalSection _fprintf 100341->100355 100342 c5557e 100400 c58ff6 9 API calls __swprintf 100342->100400 100349 c555a7 100373 c60c52 100349->100373 100351 c555ad 100351->100341 100352 c52f95 _free 58 API calls 100351->100352 100352->100341 100353->100329 100354->100333 100355->100333 100357 c54c80 100356->100357 100361 c54ca4 100356->100361 100358 c54916 __output_l 58 API calls 100357->100358 100357->100361 100359 c54c9d 100358->100359 100401 c5dac6 100359->100401 100362 c60dc7 100361->100362 100363 c555a1 100362->100363 100364 c60dd4 100362->100364 100366 c54916 100363->100366 100364->100363 100365 c52f95 _free 58 API calls 100364->100365 100365->100363 100367 c54935 100366->100367 100368 c54920 100366->100368 100367->100349 100536 c58d68 58 API calls __getptd_noexit 100368->100536 100370 c54925 100537 c58ff6 9 API calls __swprintf 100370->100537 100372 c54930 100372->100349 100374 c60c5e __fcloseall 100373->100374 100375 c60c82 100374->100375 100376 c60c6b 100374->100376 100378 c60d0d 100375->100378 100380 c60c92 100375->100380 100553 c58d34 58 API calls __getptd_noexit 100376->100553 100558 c58d34 58 API calls __getptd_noexit 100378->100558 100379 c60c70 100554 c58d68 58 API calls __getptd_noexit 100379->100554 100383 c60cb0 100380->100383 100384 c60cba 100380->100384 100555 c58d34 58 API calls __getptd_noexit 100383->100555 100387 c5d446 ___lock_fhandle 59 API calls 100384->100387 100385 c60cb5 100559 c58d68 58 API calls __getptd_noexit 100385->100559 100389 c60cc0 100387->100389 100391 c60cd3 100389->100391 100392 c60cde 100389->100392 100390 c60d19 100560 c58ff6 9 API calls __swprintf 100390->100560 100538 c60d2d 100391->100538 100556 c58d68 58 API calls __getptd_noexit 100392->100556 100396 c60c77 __fcloseall 100396->100351 100397 c60cd9 100557 c60d05 LeaveCriticalSection __unlock_fhandle 100397->100557 100399->100342 100400->100341 100402 c5dad2 __fcloseall 100401->100402 100403 c5daf6 100402->100403 100404 c5dadf 100402->100404 100405 c5db95 100403->100405 100407 c5db0a 100403->100407 100502 c58d34 58 API calls __getptd_noexit 100404->100502 100508 c58d34 58 API calls __getptd_noexit 100405->100508 100411 c5db32 100407->100411 100412 c5db28 100407->100412 100409 c5dae4 100503 c58d68 58 API calls __getptd_noexit 100409->100503 100429 c5d446 100411->100429 100504 c58d34 58 API calls __getptd_noexit 100412->100504 100413 c5db2d 100509 c58d68 58 API calls __getptd_noexit 100413->100509 100414 c5daeb __fcloseall 100414->100361 100417 c5db38 100419 c5db5e 100417->100419 100420 c5db4b 100417->100420 100505 c58d68 58 API calls __getptd_noexit 100419->100505 100438 c5dbb5 100420->100438 100421 c5dba1 100510 c58ff6 9 API calls __swprintf 100421->100510 100425 c5db63 100506 c58d34 58 API calls __getptd_noexit 100425->100506 100427 c5db57 100507 c5db8d LeaveCriticalSection __unlock_fhandle 100427->100507 100430 c5d452 __fcloseall 100429->100430 100431 c5d4a1 EnterCriticalSection 100430->100431 100432 c59e4b __lock 58 API calls 100430->100432 100433 c5d4c7 __fcloseall 100431->100433 100434 c5d477 100432->100434 100433->100417 100435 c5d48f 100434->100435 100511 c5a06b InitializeCriticalSectionAndSpinCount 100434->100511 100512 c5d4cb LeaveCriticalSection _doexit 100435->100512 100439 c5dbc2 __write_nolock 100438->100439 100440 c5dbf6 100439->100440 100441 c5dc01 100439->100441 100442 c5dc20 100439->100442 100444 c5c836 _$I10_OUTPUT 6 API calls 100440->100444 100522 c58d34 58 API calls __getptd_noexit 100441->100522 100446 c5dc78 100442->100446 100447 c5dc5c 100442->100447 100448 c5e416 100444->100448 100445 c5dc06 100523 c58d68 58 API calls __getptd_noexit 100445->100523 100450 c5dc91 100446->100450 100528 c61b11 60 API calls 3 library calls 100446->100528 100525 c58d34 58 API calls __getptd_noexit 100447->100525 100448->100427 100513 c65ebb 100450->100513 100452 c5dc0d 100524 c58ff6 9 API calls __swprintf 100452->100524 100455 c5dc61 100526 c58d68 58 API calls __getptd_noexit 100455->100526 100457 c5dc9f 100459 c5dff8 100457->100459 100529 c59bec 58 API calls 2 library calls 100457->100529 100461 c5e016 100459->100461 100462 c5e38b WriteFile 100459->100462 100460 c5dc68 100527 c58ff6 9 API calls __swprintf 100460->100527 100465 c5e13a 100461->100465 100474 c5e02c 100461->100474 100466 c5dfeb GetLastError 100462->100466 100472 c5dfb8 100462->100472 100476 c5e145 100465->100476 100479 c5e22f 100465->100479 100466->100472 100467 c5dccb GetConsoleMode 100467->100459 100469 c5dd0a 100467->100469 100468 c5e3c4 100468->100440 100534 c58d68 58 API calls __getptd_noexit 100468->100534 100469->100459 100473 c5dd1a GetConsoleCP 100469->100473 100470 c5e09b WriteFile 100470->100466 100475 c5e0d8 100470->100475 100472->100440 100472->100468 100478 c5e118 100472->100478 100473->100468 100500 c5dd49 100473->100500 100474->100468 100474->100470 100475->100474 100481 c5e0fc 100475->100481 100476->100468 100482 c5e1aa WriteFile 100476->100482 100477 c5e3f2 100535 c58d34 58 API calls __getptd_noexit 100477->100535 100484 c5e123 100478->100484 100485 c5e3bb 100478->100485 100479->100468 100480 c5e2a4 WideCharToMultiByte 100479->100480 100480->100466 100494 c5e2eb 100480->100494 100481->100472 100482->100466 100486 c5e1f9 100482->100486 100531 c58d68 58 API calls __getptd_noexit 100484->100531 100533 c58d47 58 API calls 3 library calls 100485->100533 100486->100472 100486->100476 100486->100481 100489 c5e2f3 WriteFile 100492 c5e346 GetLastError 100489->100492 100489->100494 100490 c5e128 100532 c58d34 58 API calls __getptd_noexit 100490->100532 100492->100494 100494->100472 100494->100479 100494->100481 100494->100489 100495 c6650a 60 API calls __write_nolock 100495->100500 100496 c67cae WriteConsoleW CreateFileW __putwch_nolock 100499 c5de9f 100496->100499 100497 c5de32 WideCharToMultiByte 100497->100472 100498 c5de6d WriteFile 100497->100498 100498->100466 100498->100499 100499->100466 100499->100472 100499->100496 100499->100500 100501 c5dec7 WriteFile 100499->100501 100500->100472 100500->100495 100500->100497 100500->100499 100530 c53835 58 API calls __isleadbyte_l 100500->100530 100501->100466 100501->100499 100502->100409 100503->100414 100504->100413 100505->100425 100506->100427 100507->100414 100508->100413 100509->100421 100510->100414 100511->100435 100512->100431 100514 c65ec6 100513->100514 100516 c65ed3 100513->100516 100515 c58d68 __swprintf 58 API calls 100514->100515 100519 c65ecb 100515->100519 100517 c65edf 100516->100517 100518 c58d68 __swprintf 58 API calls 100516->100518 100517->100457 100520 c65f00 100518->100520 100519->100457 100521 c58ff6 __swprintf 9 API calls 100520->100521 100521->100519 100522->100445 100523->100452 100524->100440 100525->100455 100526->100460 100527->100440 100528->100450 100529->100467 100530->100500 100531->100490 100532->100440 100533->100440 100534->100477 100535->100440 100536->100370 100537->100372 100561 c5d703 100538->100561 100540 c60d91 100574 c5d67d 59 API calls 2 library calls 100540->100574 100541 c60d3b 100541->100540 100543 c5d703 __chsize_nolock 58 API calls 100541->100543 100552 c60d6f 100541->100552 100546 c60d66 100543->100546 100544 c5d703 __chsize_nolock 58 API calls 100547 c60d7b CloseHandle 100544->100547 100545 c60d99 100549 c60dbb 100545->100549 100575 c58d47 58 API calls 3 library calls 100545->100575 100550 c5d703 __chsize_nolock 58 API calls 100546->100550 100547->100540 100551 c60d87 GetLastError 100547->100551 100549->100397 100550->100552 100551->100540 100552->100540 100552->100544 100553->100379 100554->100396 100555->100385 100556->100397 100557->100396 100558->100385 100559->100390 100560->100396 100562 c5d723 100561->100562 100563 c5d70e 100561->100563 100567 c5d748 100562->100567 100578 c58d34 58 API calls __getptd_noexit 100562->100578 100576 c58d34 58 API calls __getptd_noexit 100563->100576 100566 c5d713 100577 c58d68 58 API calls __getptd_noexit 100566->100577 100567->100541 100568 c5d752 100579 c58d68 58 API calls __getptd_noexit 100568->100579 100571 c5d71b 100571->100541 100572 c5d75a 100580 c58ff6 9 API calls __swprintf 100572->100580 100574->100545 100575->100549 100576->100566 100577->100571 100578->100568 100579->100572 100580->100571 100643 c61b90 100581->100643 100584 c348f7 100645 c37eec 100584->100645 100585 c348da 100586 c37d2c 59 API calls 100585->100586 100588 c348e6 100586->100588 100589 c37886 59 API calls 100588->100589 100590 c348f2 100589->100590 100591 c509d5 100590->100591 100592 c61b90 __write_nolock 100591->100592 100593 c509e2 GetLongPathNameW 100592->100593 100594 c37d2c 59 API calls 100593->100594 100595 c3741d 100594->100595 100596 c3716b 100595->100596 100597 c377c7 59 API calls 100596->100597 100598 c3717d 100597->100598 100599 c348ae 60 API calls 100598->100599 100600 c37188 100599->100600 100601 c37193 100600->100601 100602 c6ecae 100600->100602 100604 c33f84 59 API calls 100601->100604 100607 c6ecc8 100602->100607 100655 c37a68 61 API calls 100602->100655 100605 c3719f 100604->100605 100649 c334c2 100605->100649 100608 c371b2 Mailbox 100608->99779 100610 c34f3d 136 API calls 100609->100610 100611 c369ef 100610->100611 100612 c6e45a 100611->100612 100614 c34f3d 136 API calls 100611->100614 100613 c997e5 122 API calls 100612->100613 100615 c6e46f 100613->100615 100616 c36a03 100614->100616 100617 c6e473 100615->100617 100618 c6e490 100615->100618 100616->100612 100619 c36a0b 100616->100619 100622 c34faa 84 API calls 100617->100622 100623 c50ff6 Mailbox 59 API calls 100618->100623 100620 c36a17 100619->100620 100621 c6e47b 100619->100621 100656 c36bec 100620->100656 100749 c94534 90 API calls _wprintf 100621->100749 100622->100621 100632 c6e4d5 Mailbox 100623->100632 100627 c6e489 100627->100618 100628 c6e689 100629 c52f95 _free 58 API calls 100628->100629 100630 c6e691 100629->100630 100631 c34faa 84 API calls 100630->100631 100634 c6e69a 100631->100634 100632->100628 100632->100634 100640 c37f41 59 API calls 100632->100640 100750 c8fc4d 59 API calls 2 library calls 100632->100750 100751 c8fb6e 61 API calls 2 library calls 100632->100751 100752 c97621 59 API calls Mailbox 100632->100752 100753 c3766f 59 API calls 2 library calls 100632->100753 100754 c374bd 59 API calls Mailbox 100632->100754 100637 c52f95 _free 58 API calls 100634->100637 100638 c34faa 84 API calls 100634->100638 100755 c8fcb1 89 API calls 4 library calls 100634->100755 100637->100634 100638->100634 100640->100632 100644 c348bb GetFullPathNameW 100643->100644 100644->100584 100644->100585 100646 c37f06 100645->100646 100648 c37ef9 100645->100648 100647 c50ff6 Mailbox 59 API calls 100646->100647 100647->100648 100648->100588 100650 c334d4 100649->100650 100654 c334f3 _memmove 100649->100654 100652 c50ff6 Mailbox 59 API calls 100650->100652 100651 c50ff6 Mailbox 59 API calls 100653 c3350a 100651->100653 100652->100654 100653->100608 100654->100651 100655->100602 100657 c6e847 100656->100657 100658 c36c15 100656->100658 100828 c8fcb1 89 API calls 4 library calls 100657->100828 100761 c35906 60 API calls Mailbox 100658->100761 100661 c36c37 100762 c35956 67 API calls 100661->100762 100662 c6e85a 100829 c8fcb1 89 API calls 4 library calls 100662->100829 100664 c36c4c 100664->100662 100665 c36c54 100664->100665 100667 c377c7 59 API calls 100665->100667 100669 c36c60 100667->100669 100668 c6e876 100671 c36cc1 100668->100671 100763 c50b9b 60 API calls __write_nolock 100669->100763 100673 c36ccf 100671->100673 100674 c6e889 100671->100674 100672 c36c6c 100677 c377c7 59 API calls 100672->100677 100676 c377c7 59 API calls 100673->100676 100675 c35dcf CloseHandle 100674->100675 100678 c6e895 100675->100678 100679 c36cd8 100676->100679 100680 c36c78 100677->100680 100681 c34f3d 136 API calls 100678->100681 100682 c377c7 59 API calls 100679->100682 100683 c348ae 60 API calls 100680->100683 100684 c6e8b1 100681->100684 100685 c36ce1 100682->100685 100686 c36c86 100683->100686 100687 c6e8da 100684->100687 100690 c997e5 122 API calls 100684->100690 100766 c346f9 100685->100766 100764 c359b0 ReadFile SetFilePointerEx 100686->100764 100830 c8fcb1 89 API calls 4 library calls 100687->100830 100695 c6e8cd 100690->100695 100691 c36cf8 100696 c37c8e 59 API calls 100691->100696 100693 c36cb2 100765 c35c4e SetFilePointerEx SetFilePointerEx 100693->100765 100698 c6e8f6 100695->100698 100699 c6e8d5 100695->100699 100700 c36d09 SetCurrentDirectoryW 100696->100700 100697 c6e8f1 100704 c36e6c Mailbox 100697->100704 100702 c34faa 84 API calls 100698->100702 100701 c34faa 84 API calls 100699->100701 100706 c36d1c Mailbox 100700->100706 100701->100687 100703 c6e8fb 100702->100703 100705 c50ff6 Mailbox 59 API calls 100703->100705 100756 c35934 100704->100756 100712 c6e92f 100705->100712 100708 c50ff6 Mailbox 59 API calls 100706->100708 100709 c36d2f 100708->100709 100711 c3538e 59 API calls 100709->100711 100710 c33bcd 100710->99646 100710->99669 100721 c36d3a Mailbox __wsetenvp 100711->100721 100831 c3766f 59 API calls 2 library calls 100712->100831 100714 c36e47 100824 c35dcf 100714->100824 100717 c6eb69 100837 c97581 59 API calls Mailbox 100717->100837 100718 c36e53 SetCurrentDirectoryW 100718->100704 100721->100714 100732 c6ebfa 100721->100732 100734 c37f41 59 API calls 100721->100734 100736 c6ec02 100721->100736 100817 c359cd 67 API calls _wcscpy 100721->100817 100818 c370bd GetStringTypeW 100721->100818 100819 c3702c 60 API calls __wcsnicmp 100721->100819 100820 c3710a GetStringTypeW __wsetenvp 100721->100820 100821 c5387d GetStringTypeW _iswctype 100721->100821 100822 c36a3c 165 API calls 3 library calls 100721->100822 100823 c37373 59 API calls Mailbox 100721->100823 100722 c6eb8b 100838 c9f835 59 API calls 2 library calls 100722->100838 100725 c6eb98 100726 c52f95 _free 58 API calls 100725->100726 100726->100704 100729 c6ec1b 100729->100714 100840 c8fb07 59 API calls 4 library calls 100732->100840 100734->100721 100841 c8fcb1 89 API calls 4 library calls 100736->100841 100739 c37f41 59 API calls 100744 c6e978 Mailbox 100739->100744 100742 c6ebbb 100839 c8fcb1 89 API calls 4 library calls 100742->100839 100744->100717 100744->100739 100744->100742 100832 c8fc4d 59 API calls 2 library calls 100744->100832 100833 c8fb6e 61 API calls 2 library calls 100744->100833 100834 c97621 59 API calls Mailbox 100744->100834 100835 c3766f 59 API calls 2 library calls 100744->100835 100836 c37373 59 API calls Mailbox 100744->100836 100746 c6ebd4 100747 c52f95 _free 58 API calls 100746->100747 100748 c6ebe7 100747->100748 100748->100704 100749->100627 100750->100632 100751->100632 100752->100632 100753->100632 100754->100632 100755->100634 100757 c35dcf CloseHandle 100756->100757 100758 c3593c Mailbox 100757->100758 100759 c35dcf CloseHandle 100758->100759 100760 c3594b 100759->100760 100760->100710 100761->100661 100762->100664 100763->100672 100764->100693 100765->100671 100767 c377c7 59 API calls 100766->100767 100768 c3470f 100767->100768 100769 c377c7 59 API calls 100768->100769 100770 c34717 100769->100770 100771 c377c7 59 API calls 100770->100771 100772 c3471f 100771->100772 100773 c377c7 59 API calls 100772->100773 100774 c34727 100773->100774 100775 c3475b 100774->100775 100776 c6d8fb 100774->100776 100777 c379ab 59 API calls 100775->100777 100778 c381a7 59 API calls 100776->100778 100779 c34769 100777->100779 100780 c6d904 100778->100780 100781 c37e8c 59 API calls 100779->100781 100782 c37eec 59 API calls 100780->100782 100783 c34773 100781->100783 100785 c3479e 100782->100785 100784 c379ab 59 API calls 100783->100784 100783->100785 100787 c34794 100784->100787 100788 c347bd 100785->100788 100798 c6d924 100785->100798 100803 c347de 100785->100803 100786 c379ab 59 API calls 100790 c347ef 100786->100790 100791 c37e8c 59 API calls 100787->100791 100789 c37b52 59 API calls 100788->100789 100793 c347c7 100789->100793 100794 c34801 100790->100794 100796 c381a7 59 API calls 100790->100796 100791->100785 100792 c6d9f4 100795 c37d2c 59 API calls 100792->100795 100799 c379ab 59 API calls 100793->100799 100793->100803 100797 c34811 100794->100797 100800 c381a7 59 API calls 100794->100800 100812 c6d9b1 100795->100812 100796->100794 100802 c34818 100797->100802 100804 c381a7 59 API calls 100797->100804 100798->100792 100801 c6d9dd 100798->100801 100810 c6d95b 100798->100810 100799->100803 100800->100797 100801->100792 100807 c6d9c8 100801->100807 100805 c381a7 59 API calls 100802->100805 100814 c3481f Mailbox 100802->100814 100803->100786 100804->100802 100805->100814 100806 c6d9b9 100808 c37d2c 59 API calls 100806->100808 100809 c37d2c 59 API calls 100807->100809 100808->100812 100809->100812 100810->100806 100815 c6d9a4 100810->100815 100811 c37b52 59 API calls 100811->100812 100812->100803 100812->100811 100842 c37a84 59 API calls 2 library calls 100812->100842 100814->100691 100816 c37d2c 59 API calls 100815->100816 100816->100812 100817->100721 100818->100721 100819->100721 100820->100721 100821->100721 100822->100721 100823->100721 100825 c35dd9 100824->100825 100826 c35de8 100824->100826 100825->100718 100826->100825 100827 c35ded CloseHandle 100826->100827 100827->100825 100828->100662 100829->100668 100830->100697 100831->100744 100832->100744 100833->100744 100834->100744 100835->100744 100836->100744 100837->100722 100838->100725 100839->100746 100840->100736 100841->100729 100842->100812 100844 c36ef5 100843->100844 100845 c37009 100843->100845 100844->100845 100846 c50ff6 Mailbox 59 API calls 100844->100846 100845->99785 100848 c36f1c 100846->100848 100847 c50ff6 Mailbox 59 API calls 100853 c36f91 100847->100853 100848->100847 100853->100845 100856 c363a0 100853->100856 100881 c374bd 59 API calls Mailbox 100853->100881 100882 c86ac9 59 API calls Mailbox 100853->100882 100883 c3766f 59 API calls 2 library calls 100853->100883 100854->99787 100855->99789 100857 c37b76 59 API calls 100856->100857 100877 c363c5 100857->100877 100858 c365ca 100886 c3766f 59 API calls 2 library calls 100858->100886 100860 c365e4 Mailbox 100860->100853 100863 c37eec 59 API calls 100863->100877 100864 c3766f 59 API calls 100864->100877 100865 c6e41f 100889 c8fdba 91 API calls 4 library calls 100865->100889 100869 c6e42d 100890 c3766f 59 API calls 2 library calls 100869->100890 100871 c368f9 _memmove 100891 c8fdba 91 API calls 4 library calls 100871->100891 100872 c6e443 100872->100860 100873 c6e3bb 100874 c38189 59 API calls 100873->100874 100876 c6e3c6 100874->100876 100880 c50ff6 Mailbox 59 API calls 100876->100880 100877->100858 100877->100863 100877->100864 100877->100865 100877->100871 100877->100873 100878 c37faf 59 API calls 100877->100878 100884 c360cc 60 API calls 100877->100884 100885 c35ea1 59 API calls Mailbox 100877->100885 100887 c35fd2 60 API calls 100877->100887 100888 c37a84 59 API calls 2 library calls 100877->100888 100879 c3659b CharUpperBuffW 100878->100879 100879->100877 100880->100871 100881->100853 100882->100853 100883->100853 100884->100877 100885->100877 100886->100860 100887->100877 100888->100877 100889->100869 100890->100872 100891->100860 100892->99803 100893->99804 100896 c3e835 100894->100896 100895 c73ed3 100967 c3a000 100895->100967 100896->100895 100898 c3e89f 100896->100898 100909 c3e8f9 100896->100909 100902 c377c7 59 API calls 100898->100902 100898->100909 100899 c73ee8 100923 c3ead0 Mailbox 100899->100923 100990 c9a0b5 89 API calls 4 library calls 100899->100990 100900 c377c7 59 API calls 100900->100909 100903 c73f2e 100902->100903 100906 c52f80 __cinit 67 API calls 100903->100906 100904 c52f80 __cinit 67 API calls 100904->100909 100905 c73f50 100905->99882 100906->100909 100907 c38620 69 API calls 100907->100923 100908 c3a000 331 API calls 100908->100923 100909->100900 100909->100904 100909->100905 100911 c3eaba 100909->100911 100909->100923 100911->100923 100991 c9a0b5 89 API calls 4 library calls 100911->100991 100912 c38ea0 59 API calls 100912->100923 100914 c3f2fc 100995 c9a0b5 89 API calls 4 library calls 100914->100995 100917 c7424f 100917->99882 100920 c9a0b5 89 API calls 100920->100923 100923->100907 100923->100908 100923->100912 100923->100914 100923->100920 100924 c3ebd8 100923->100924 100966 c380d7 59 API calls 2 library calls 100923->100966 100992 c87405 59 API calls 100923->100992 100993 cac8d7 331 API calls 100923->100993 100994 cab851 331 API calls Mailbox 100923->100994 100996 c39df0 59 API calls Mailbox 100923->100996 100997 ca96db 331 API calls Mailbox 100923->100997 100924->99882 100926 c3f7b0 100925->100926 100927 c3f61a 100925->100927 100930 c37f41 59 API calls 100926->100930 100928 c3f626 100927->100928 100929 c74848 100927->100929 101096 c3f3f0 331 API calls 2 library calls 100928->101096 101098 cabf80 331 API calls Mailbox 100929->101098 100937 c3f6ec Mailbox 100930->100937 100933 c3f790 100933->99882 100934 c74856 100934->100933 101099 c9a0b5 89 API calls 4 library calls 100934->101099 100936 c3f65d 100936->100933 100936->100934 100936->100937 100941 c34faa 84 API calls 100937->100941 101004 c9cde5 100937->101004 101084 c93e73 100937->101084 101087 ca474d 100937->101087 100939 c3f743 100939->100933 101097 c39df0 59 API calls Mailbox 100939->101097 100941->100939 100944->99882 100945->99882 100946->99882 100947->99811 100948->99816 100949->99882 100950->99821 100951->99821 100952->99821 100953->99882 100954->99882 100955->99882 100956->99882 100957->99882 100958->99882 100959->99867 100960->99867 100961->99867 100962->99867 100963->99867 100964->99867 100965->99867 100966->100923 100968 c3a01f 100967->100968 100988 c3a04d Mailbox 100967->100988 100969 c50ff6 Mailbox 59 API calls 100968->100969 100969->100988 100970 c52f80 67 API calls __cinit 100970->100988 100971 c3b5da 101003 c9a0b5 89 API calls 4 library calls 100971->101003 100972 c3b5d5 100973 c381a7 59 API calls 100972->100973 100985 c3a1b7 100973->100985 100976 c50ff6 59 API calls Mailbox 100976->100988 100978 c7047f 101000 c9a0b5 89 API calls 4 library calls 100978->101000 100980 c377c7 59 API calls 100980->100988 100982 c381a7 59 API calls 100982->100988 100983 c7048e 100983->100899 100984 c87405 59 API calls 100984->100988 100985->100899 100986 c70e00 101002 c9a0b5 89 API calls 4 library calls 100986->101002 100988->100970 100988->100971 100988->100972 100988->100976 100988->100978 100988->100980 100988->100982 100988->100984 100988->100985 100988->100986 100989 c3a6ba 100988->100989 100998 c3ca20 331 API calls 2 library calls 100988->100998 100999 c3ba60 60 API calls Mailbox 100988->100999 101001 c9a0b5 89 API calls 4 library calls 100989->101001 100990->100923 100991->100923 100992->100923 100993->100923 100994->100923 100995->100917 100996->100923 100997->100923 100998->100988 100999->100988 101000->100983 101001->100985 101002->100971 101003->100985 101005 c377c7 59 API calls 101004->101005 101006 c9ce1a 101005->101006 101007 c377c7 59 API calls 101006->101007 101008 c9ce23 101007->101008 101009 c9ce37 101008->101009 101209 c39c9c 59 API calls 101008->101209 101011 c39997 84 API calls 101009->101011 101012 c9ce54 101011->101012 101013 c9cf85 Mailbox 101012->101013 101014 c9cf55 101012->101014 101015 c9ce76 101012->101015 101013->100939 101016 c34f3d 136 API calls 101014->101016 101017 c39997 84 API calls 101015->101017 101020 c9cf69 101016->101020 101018 c9ce82 101017->101018 101019 c381a7 59 API calls 101018->101019 101021 c9ce8e 101019->101021 101022 c34f3d 136 API calls 101020->101022 101024 c9cf81 101020->101024 101027 c9cea2 101021->101027 101028 c9ced4 101021->101028 101022->101024 101023 c377c7 59 API calls 101025 c9cfb6 101023->101025 101024->101013 101024->101023 101026 c377c7 59 API calls 101025->101026 101029 c9cfbf 101026->101029 101030 c381a7 59 API calls 101027->101030 101031 c39997 84 API calls 101028->101031 101032 c377c7 59 API calls 101029->101032 101034 c9ceb2 101030->101034 101035 c9cee1 101031->101035 101033 c9cfc8 101032->101033 101036 c377c7 59 API calls 101033->101036 101037 c37e0b 59 API calls 101034->101037 101038 c381a7 59 API calls 101035->101038 101040 c9cfd1 101036->101040 101041 c9cebc 101037->101041 101039 c9ceed 101038->101039 101210 c94cd3 GetFileAttributesW 101039->101210 101043 c39997 84 API calls 101040->101043 101044 c39997 84 API calls 101041->101044 101046 c9cfde 101043->101046 101047 c9cec8 101044->101047 101045 c9cef6 101048 c9cf09 101045->101048 101051 c37b52 59 API calls 101045->101051 101049 c346f9 59 API calls 101046->101049 101050 c37c8e 59 API calls 101047->101050 101053 c39997 84 API calls 101048->101053 101059 c9cf0f 101048->101059 101052 c9cff9 101049->101052 101050->101028 101051->101048 101054 c37b52 59 API calls 101052->101054 101055 c9cf36 101053->101055 101056 c9d008 101054->101056 101211 c93a2b 75 API calls Mailbox 101055->101211 101058 c9d03c 101056->101058 101061 c37b52 59 API calls 101056->101061 101060 c381a7 59 API calls 101058->101060 101059->101013 101062 c9d04a 101060->101062 101063 c9d019 101061->101063 101064 c37c8e 59 API calls 101062->101064 101063->101058 101066 c37d2c 59 API calls 101063->101066 101065 c9d058 101064->101065 101067 c37c8e 59 API calls 101065->101067 101068 c9d02e 101066->101068 101069 c9d066 101067->101069 101070 c37d2c 59 API calls 101068->101070 101071 c37c8e 59 API calls 101069->101071 101070->101058 101072 c9d074 101071->101072 101073 c39997 84 API calls 101072->101073 101074 c9d080 101073->101074 101100 c942ad 101074->101100 101076 c9d091 101077 c93e73 3 API calls 101076->101077 101078 c9d09b 101077->101078 101079 c39997 84 API calls 101078->101079 101083 c9d0cc 101078->101083 101080 c9d0b9 101079->101080 101154 c993df 101080->101154 101082 c34faa 84 API calls 101082->101013 101083->101082 101252 c94696 GetFileAttributesW 101084->101252 101088 c39997 84 API calls 101087->101088 101089 ca4787 101088->101089 101090 c363a0 94 API calls 101089->101090 101092 ca4797 101090->101092 101091 ca47bc 101095 ca47c0 101091->101095 101256 c39bf8 59 API calls Mailbox 101091->101256 101092->101091 101093 c3a000 331 API calls 101092->101093 101093->101091 101095->100939 101096->100936 101097->100939 101098->100934 101099->100933 101101 c942c9 101100->101101 101102 c942dc 101101->101102 101103 c942ce 101101->101103 101105 c377c7 59 API calls 101102->101105 101104 c381a7 59 API calls 101103->101104 101153 c942d7 Mailbox 101104->101153 101106 c942e4 101105->101106 101107 c377c7 59 API calls 101106->101107 101108 c942ec 101107->101108 101109 c377c7 59 API calls 101108->101109 101110 c942f7 101109->101110 101111 c377c7 59 API calls 101110->101111 101112 c942ff 101111->101112 101113 c377c7 59 API calls 101112->101113 101114 c94307 101113->101114 101115 c377c7 59 API calls 101114->101115 101116 c9430f 101115->101116 101117 c377c7 59 API calls 101116->101117 101118 c94317 101117->101118 101119 c377c7 59 API calls 101118->101119 101120 c9431f 101119->101120 101121 c346f9 59 API calls 101120->101121 101122 c94336 101121->101122 101123 c346f9 59 API calls 101122->101123 101124 c9434f 101123->101124 101125 c37b52 59 API calls 101124->101125 101126 c9435b 101125->101126 101127 c9436e 101126->101127 101128 c37e8c 59 API calls 101126->101128 101129 c37b52 59 API calls 101127->101129 101128->101127 101130 c94377 101129->101130 101131 c94387 101130->101131 101132 c37e8c 59 API calls 101130->101132 101133 c381a7 59 API calls 101131->101133 101132->101131 101134 c94393 101133->101134 101135 c37c8e 59 API calls 101134->101135 101136 c9439f 101135->101136 101212 c9445f 59 API calls 101136->101212 101138 c943ae 101213 c9445f 59 API calls 101138->101213 101140 c943c1 101141 c37b52 59 API calls 101140->101141 101142 c943cb 101141->101142 101143 c943d0 101142->101143 101144 c943e2 101142->101144 101145 c37e0b 59 API calls 101143->101145 101146 c37b52 59 API calls 101144->101146 101147 c943dd 101145->101147 101148 c943eb 101146->101148 101151 c37c8e 59 API calls 101147->101151 101149 c94409 101148->101149 101150 c37e0b 59 API calls 101148->101150 101152 c37c8e 59 API calls 101149->101152 101150->101147 101151->101149 101152->101153 101153->101076 101155 c993ec __write_nolock 101154->101155 101156 c50ff6 Mailbox 59 API calls 101155->101156 101157 c99449 101156->101157 101158 c3538e 59 API calls 101157->101158 101159 c99453 101158->101159 101160 c991e9 GetSystemTimeAsFileTime 101159->101160 101161 c9945e 101160->101161 101162 c35045 85 API calls 101161->101162 101163 c99471 _wcscmp 101162->101163 101164 c99542 101163->101164 101165 c99495 101163->101165 101166 c999be 96 API calls 101164->101166 101167 c999be 96 API calls 101165->101167 101182 c9950e _wcscat 101166->101182 101168 c9949a 101167->101168 101171 c9954b 101168->101171 101231 c5432e 58 API calls __wsplitpath_helper 101168->101231 101170 c3506b 74 API calls 101172 c99567 101170->101172 101171->101083 101173 c3506b 74 API calls 101172->101173 101175 c99577 101173->101175 101174 c994c3 _wcscat _wcscpy 101232 c5432e 58 API calls __wsplitpath_helper 101174->101232 101176 c3506b 74 API calls 101175->101176 101178 c99592 101176->101178 101179 c3506b 74 API calls 101178->101179 101180 c995a2 101179->101180 101181 c3506b 74 API calls 101180->101181 101183 c995bd 101181->101183 101182->101170 101182->101171 101184 c3506b 74 API calls 101183->101184 101185 c995cd 101184->101185 101186 c3506b 74 API calls 101185->101186 101187 c995dd 101186->101187 101188 c3506b 74 API calls 101187->101188 101189 c995ed 101188->101189 101214 c99b6d GetTempPathW GetTempFileNameW 101189->101214 101191 c995f9 101192 c5548b 115 API calls 101191->101192 101202 c9960a 101192->101202 101193 c996c4 101194 c555d6 __fcloseall 83 API calls 101193->101194 101195 c996cf 101194->101195 101197 c996e9 101195->101197 101198 c996d5 DeleteFileW 101195->101198 101196 c3506b 74 API calls 101196->101202 101199 c9978f CopyFileW 101197->101199 101204 c996f3 _wcsncpy 101197->101204 101198->101171 101200 c997a5 DeleteFileW 101199->101200 101201 c997b7 DeleteFileW 101199->101201 101200->101171 101228 c99b2c CreateFileW 101201->101228 101202->101171 101202->101193 101202->101196 101215 c54a93 101202->101215 101233 c98d90 116 API calls __fcloseall 101204->101233 101207 c9977a 101207->101201 101208 c9977e DeleteFileW 101207->101208 101208->101171 101209->101009 101210->101045 101211->101059 101212->101138 101213->101140 101214->101191 101216 c54a9f __fcloseall 101215->101216 101217 c54acd __fcloseall 101216->101217 101218 c54ad5 101216->101218 101219 c54abd 101216->101219 101217->101202 101221 c56e4e __lock_file 59 API calls 101218->101221 101246 c58d68 58 API calls __getptd_noexit 101219->101246 101223 c54adb 101221->101223 101222 c54ac2 101247 c58ff6 9 API calls __swprintf 101222->101247 101234 c5493a 101223->101234 101229 c99b68 101228->101229 101230 c99b52 SetFileTime CloseHandle 101228->101230 101229->101171 101230->101229 101231->101174 101232->101182 101233->101207 101236 c54949 101234->101236 101241 c54967 101234->101241 101235 c54957 101249 c58d68 58 API calls __getptd_noexit 101235->101249 101236->101235 101236->101241 101244 c54981 _memmove 101236->101244 101248 c54b0d LeaveCriticalSection LeaveCriticalSection _fprintf 101241->101248 101242 c54c6d __flush 78 API calls 101242->101244 101243 c54916 __output_l 58 API calls 101243->101244 101244->101241 101244->101242 101244->101243 101246->101222 101247->101217 101248->101217 101253 c93e7a 101252->101253 101254 c946b1 FindFirstFileW 101252->101254 101253->100939 101254->101253 101255 c946c6 FindClose 101254->101255 101255->101253 101256->101095 101257 c31055 101262 c32649 101257->101262 101260 c52f80 __cinit 67 API calls 101261 c31064 101260->101261 101263 c377c7 59 API calls 101262->101263 101264 c326b7 101263->101264 101269 c33582 101264->101269 101267 c32754 101268 c3105a 101267->101268 101272 c33416 59 API calls 2 library calls 101267->101272 101268->101260 101273 c335b0 101269->101273 101272->101267 101274 c335a1 101273->101274 101275 c335bd 101273->101275 101274->101267 101275->101274 101276 c335c4 RegOpenKeyExW 101275->101276 101276->101274 101277 c335de RegQueryValueExW 101276->101277 101278 c33614 RegCloseKey 101277->101278 101279 c335ff 101277->101279 101278->101274 101279->101278 101280 15deb70 101294 15dc7c0 101280->101294 101282 15dec40 101297 15dea60 101282->101297 101300 15dfc70 GetPEB 101294->101300 101296 15dce4b 101296->101282 101298 15dea69 Sleep 101297->101298 101299 15dea77 101298->101299 101301 15dfc9a 101300->101301 101301->101296 101302 c3107d 101307 c371eb 101302->101307 101304 c3108c 101305 c52f80 __cinit 67 API calls 101304->101305 101306 c31096 101305->101306 101308 c371fb __write_nolock 101307->101308 101309 c377c7 59 API calls 101308->101309 101310 c372b1 101309->101310 101311 c34864 61 API calls 101310->101311 101312 c372ba 101311->101312 101338 c5074f 101312->101338 101315 c37e0b 59 API calls 101316 c372d3 101315->101316 101317 c33f84 59 API calls 101316->101317 101318 c372e2 101317->101318 101319 c377c7 59 API calls 101318->101319 101320 c372eb 101319->101320 101321 c37eec 59 API calls 101320->101321 101322 c372f4 RegOpenKeyExW 101321->101322 101323 c6ecda RegQueryValueExW 101322->101323 101327 c37316 Mailbox 101322->101327 101324 c6ecf7 101323->101324 101325 c6ed6c RegCloseKey 101323->101325 101326 c50ff6 Mailbox 59 API calls 101324->101326 101325->101327 101337 c6ed7e _wcscat Mailbox __wsetenvp 101325->101337 101328 c6ed10 101326->101328 101327->101304 101329 c3538e 59 API calls 101328->101329 101330 c6ed1b RegQueryValueExW 101329->101330 101331 c6ed38 101330->101331 101334 c6ed52 101330->101334 101332 c37d2c 59 API calls 101331->101332 101332->101334 101333 c37b52 59 API calls 101333->101337 101334->101325 101335 c37f41 59 API calls 101335->101337 101336 c33f84 59 API calls 101336->101337 101337->101327 101337->101333 101337->101335 101337->101336 101339 c61b90 __write_nolock 101338->101339 101340 c5075c GetFullPathNameW 101339->101340 101341 c5077e 101340->101341 101342 c37d2c 59 API calls 101341->101342 101343 c372c5 101342->101343 101343->101315 101344 c98f97 101345 c98faa 101344->101345 101346 c98fa4 101344->101346 101348 c98fbb 101345->101348 101349 c52f95 _free 58 API calls 101345->101349 101347 c52f95 _free 58 API calls 101346->101347 101347->101345 101350 c52f95 _free 58 API calls 101348->101350 101351 c98fcd 101348->101351 101349->101348 101350->101351 101352 c74599 101356 c8655c 101352->101356 101354 c745a4 101355 c8655c 85 API calls 101354->101355 101355->101354 101357 c86596 101356->101357 101361 c86569 101356->101361 101357->101354 101358 c86598 101368 c39488 84 API calls Mailbox 101358->101368 101359 c8659d 101362 c39997 84 API calls 101359->101362 101361->101357 101361->101358 101361->101359 101365 c86590 101361->101365 101363 c865a4 101362->101363 101364 c37c8e 59 API calls 101363->101364 101364->101357 101367 c39700 59 API calls _wcsstr 101365->101367 101367->101357 101368->101359

                Executed Functions

                Function 00C33B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C33B7A
                • IsDebuggerPresent.KERNEL32 ref: 00C33B8C
                • GetFullPathNameW.KERNEL32(00007FFF,?,?,00CF62F8,00CF62E0,?,?), ref: 00C33BFD
                  • Part of subcall function 00C37D2C: _memmove.LIBCMT ref: 00C37D66
                  • Part of subcall function 00C40A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00C33C26,00CF62F8,?,?,?), ref: 00C40ACE
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C33C81
                • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00CE93F0,00000010), ref: 00C6D4BC
                • SetCurrentDirectoryW.KERNEL32(?,00CF62F8,?,?,?), ref: 00C6D4F4
                • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00CE5D40,00CF62F8,?,?,?), ref: 00C6D57A
                • ShellExecuteW.SHELL32(00000000,?,?), ref: 00C6D581
                  • Part of subcall function 00C33A58: GetSysColorBrush.USER32(0000000F), ref: 00C33A62
                  • Part of subcall function 00C33A58: LoadCursorW.USER32(00000000,00007F00), ref: 00C33A71
                  • Part of subcall function 00C33A58: LoadIconW.USER32(00000063), ref: 00C33A88
                  • Part of subcall function 00C33A58: LoadIconW.USER32(000000A4), ref: 00C33A9A
                  • Part of subcall function 00C33A58: LoadIconW.USER32(000000A2), ref: 00C33AAC
                  • Part of subcall function 00C33A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C33AD2
                  • Part of subcall function 00C33A58: RegisterClassExW.USER32(?), ref: 00C33B28
                  • Part of subcall function 00C339E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C33A15
                  • Part of subcall function 00C339E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C33A36
                  • Part of subcall function 00C339E7: ShowWindow.USER32(00000000,?,?), ref: 00C33A4A
                  • Part of subcall function 00C339E7: ShowWindow.USER32(00000000,?,?), ref: 00C33A53
                  • Part of subcall function 00C343DB: _memset.LIBCMT ref: 00C34401
                  • Part of subcall function 00C343DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C344A6
                Strings
                • runas, xrefs: 00C6D575
                • This is a third-party compiled AutoIt script., xrefs: 00C6D4B4
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                • String ID: This is a third-party compiled AutoIt script.$runas
                • API String ID: 529118366-3287110873
                • Opcode ID: 935210d51c6d601672fc6890f246e82a2373772a483aa15a050d84d7e195ea8a
                • Instruction ID: 2a1b53997c8422bb95ee814079e82648e6fe64426e9b1ac08cd5ea1d788ab7f7
                • Opcode Fuzzy Hash: 935210d51c6d601672fc6890f246e82a2373772a483aa15a050d84d7e195ea8a
                • Instruction Fuzzy Hash: CF512B71E14289AECF21EBB5EC45FFD7B74AF04300F044279F512A22A1DA745B06EB22
                Function 00C34AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 996 c34afe-c34b5e call c377c7 GetVersionExW call c37d2c 1001 c34b64 996->1001 1002 c34c69-c34c6b 996->1002 1004 c34b67-c34b6c 1001->1004 1003 c6db90-c6db9c 1002->1003 1005 c6db9d-c6dba1 1003->1005 1006 c34b72 1004->1006 1007 c34c70-c34c71 1004->1007 1009 c6dba4-c6dbb0 1005->1009 1010 c6dba3 1005->1010 1008 c34b73-c34baa call c37e8c call c37886 1006->1008 1007->1008 1018 c34bb0-c34bb1 1008->1018 1019 c6dc8d-c6dc90 1008->1019 1009->1005 1012 c6dbb2-c6dbb7 1009->1012 1010->1009 1012->1004 1014 c6dbbd-c6dbc4 1012->1014 1014->1003 1016 c6dbc6 1014->1016 1020 c6dbcb-c6dbce 1016->1020 1018->1020 1021 c34bb7-c34bc2 1018->1021 1022 c6dc92 1019->1022 1023 c6dca9-c6dcad 1019->1023 1024 c34bf1-c34c08 GetCurrentProcess IsWow64Process 1020->1024 1025 c6dbd4-c6dbf2 1020->1025 1026 c6dc13-c6dc19 1021->1026 1027 c34bc8-c34bca 1021->1027 1028 c6dc95 1022->1028 1030 c6dcaf-c6dcb8 1023->1030 1031 c6dc98-c6dca1 1023->1031 1032 c34c0a 1024->1032 1033 c34c0d-c34c1e 1024->1033 1025->1024 1029 c6dbf8-c6dbfe 1025->1029 1038 c6dc23-c6dc29 1026->1038 1039 c6dc1b-c6dc1e 1026->1039 1034 c34bd0-c34bd3 1027->1034 1035 c6dc2e-c6dc3a 1027->1035 1028->1031 1036 c6dc00-c6dc03 1029->1036 1037 c6dc08-c6dc0e 1029->1037 1030->1028 1040 c6dcba-c6dcbd 1030->1040 1031->1023 1032->1033 1041 c34c20-c34c30 call c34c95 1033->1041 1042 c34c89-c34c93 GetSystemInfo 1033->1042 1043 c34bd9-c34be8 1034->1043 1044 c6dc5a-c6dc5d 1034->1044 1046 c6dc44-c6dc4a 1035->1046 1047 c6dc3c-c6dc3f 1035->1047 1036->1024 1037->1024 1038->1024 1039->1024 1040->1031 1053 c34c32-c34c3f call c34c95 1041->1053 1054 c34c7d-c34c87 GetSystemInfo 1041->1054 1045 c34c56-c34c66 1042->1045 1051 c6dc4f-c6dc55 1043->1051 1052 c34bee 1043->1052 1044->1024 1050 c6dc63-c6dc78 1044->1050 1046->1024 1047->1024 1055 c6dc82-c6dc88 1050->1055 1056 c6dc7a-c6dc7d 1050->1056 1051->1024 1052->1024 1061 c34c41-c34c45 GetNativeSystemInfo 1053->1061 1062 c34c76-c34c7b 1053->1062 1058 c34c47-c34c4b 1054->1058 1055->1024 1056->1024 1058->1045 1060 c34c4d-c34c50 FreeLibrary 1058->1060 1060->1045 1061->1058 1062->1061
                APIs
                • GetVersionExW.KERNEL32(?), ref: 00C34B2B
                  • Part of subcall function 00C37D2C: _memmove.LIBCMT ref: 00C37D66
                • GetCurrentProcess.KERNEL32(?,00CBFAEC,00000000,00000000,?), ref: 00C34BF8
                • IsWow64Process.KERNEL32(00000000), ref: 00C34BFF
                • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00C34C45
                • FreeLibrary.KERNEL32(00000000), ref: 00C34C50
                • GetSystemInfo.KERNEL32(00000000), ref: 00C34C81
                • GetSystemInfo.KERNEL32(00000000), ref: 00C34C8D
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                • String ID:
                • API String ID: 1986165174-0
                • Opcode ID: 713c1c5f4e0da539f3e007f73f3d692011d9e12c88969553d3634ae7fe9cc032
                • Instruction ID: e4493840dd343e82a602e432d8142bd26264963a3e0fdac965d8d5a16c991f87
                • Opcode Fuzzy Hash: 713c1c5f4e0da539f3e007f73f3d692011d9e12c88969553d3634ae7fe9cc032
                • Instruction Fuzzy Hash: 2A91E53194ABC4DEC735CB6894916AAFFE4AF26300F484E9DD0DB93A01D220FA48D719
                Function 00C34FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1063 c34fe9-c35001 CreateStreamOnHGlobal 1064 c35003-c3501a FindResourceExW 1063->1064 1065 c35021-c35026 1063->1065 1066 c35020 1064->1066 1067 c6dd5c-c6dd6b LoadResource 1064->1067 1066->1065 1067->1066 1068 c6dd71-c6dd7f SizeofResource 1067->1068 1068->1066 1069 c6dd85-c6dd90 LockResource 1068->1069 1069->1066 1070 c6dd96-c6ddb4 1069->1070 1070->1066
                APIs
                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C34EEE,?,?,00000000,00000000), ref: 00C34FF9
                • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C34EEE,?,?,00000000,00000000), ref: 00C35010
                • LoadResource.KERNEL32(?,00000000,?,?,00C34EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C34F8F), ref: 00C6DD60
                • SizeofResource.KERNEL32(?,00000000,?,?,00C34EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C34F8F), ref: 00C6DD75
                • LockResource.KERNEL32(00C34EEE,?,?,00C34EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C34F8F,00000000), ref: 00C6DD88
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                • String ID: SCRIPT
                • API String ID: 3051347437-3967369404
                • Opcode ID: 0e975bf9e6e94ad9d408e8b24f13814783753b86f606d1e0edee61245dc5c856
                • Instruction ID: 0c90ae8b3a09c918ba5eef83e805d8caa0dfb1f6f910fe91166673d99a9000e0
                • Opcode Fuzzy Hash: 0e975bf9e6e94ad9d408e8b24f13814783753b86f606d1e0edee61245dc5c856
                • Instruction Fuzzy Hash: 8A117C75200700BFE7298B69DC58F6B7BB9EBC9B11F20426CF416D6260DB72EC018671
                Function 00C94696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNELBASE(?,00C6E7C1), ref: 00C946A6
                • FindFirstFileW.KERNELBASE(?,?), ref: 00C946B7
                • FindClose.KERNEL32(00000000), ref: 00C946C7
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: FileFind$AttributesCloseFirst
                • String ID:
                • API String ID: 48322524-0
                • Opcode ID: eaca7ff50124f3a17e6974ec8b68dad5673f15949f205ee93c62718988263790
                • Instruction ID: 005dcfd4eeb53de43b56343c4575dc3ba7c75c134527aa97c4b866e045eb30d0
                • Opcode Fuzzy Hash: eaca7ff50124f3a17e6974ec8b68dad5673f15949f205ee93c62718988263790
                • Instruction Fuzzy Hash: 2AE020714104005B4A146738EC4DDEE779CDF06335F100719F935C11F0E7B05D5185D6
                Function 00C40B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                Download Yara Rule
                APIs
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C40BBB
                • timeGetTime.WINMM ref: 00C40E76
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C40FB3
                • TranslateMessage.USER32(?), ref: 00C40FC7
                • DispatchMessageW.USER32(?), ref: 00C40FD5
                • Sleep.KERNEL32(0000000A), ref: 00C40FDF
                • LockWindowUpdate.USER32(00000000,?,?), ref: 00C4105A
                • DestroyWindow.USER32 ref: 00C41066
                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C41080
                • Sleep.KERNEL32(0000000A,?,?), ref: 00C752AD
                • TranslateMessage.USER32(?), ref: 00C7608A
                • DispatchMessageW.USER32(?), ref: 00C76098
                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C760AC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                • API String ID: 4003667617-3242690629
                • Opcode ID: 9d732203050284f825329011d273cdffe9cff17e74efdd82f4fb56b1b51c8025
                • Instruction ID: c5544ae69c43bdd62ae0398e9d0fd49573c18d1e7ae6df98d343b519522b35c0
                • Opcode Fuzzy Hash: 9d732203050284f825329011d273cdffe9cff17e74efdd82f4fb56b1b51c8025
                • Instruction Fuzzy Hash: 4AB2B070608741DFD724DF24C884BAEB7E4BF84304F24891DF59A972A1DBB1E985DB82
                Function 00C993DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 00C991E9: __time64.LIBCMT ref: 00C991F3
                  • Part of subcall function 00C35045: _fseek.LIBCMT ref: 00C3505D
                • __wsplitpath.LIBCMT ref: 00C994BE
                  • Part of subcall function 00C5432E: __wsplitpath_helper.LIBCMT ref: 00C5436E
                • _wcscpy.LIBCMT ref: 00C994D1
                • _wcscat.LIBCMT ref: 00C994E4
                • __wsplitpath.LIBCMT ref: 00C99509
                • _wcscat.LIBCMT ref: 00C9951F
                • _wcscat.LIBCMT ref: 00C99532
                  • Part of subcall function 00C9922F: _memmove.LIBCMT ref: 00C99268
                  • Part of subcall function 00C9922F: _memmove.LIBCMT ref: 00C99277
                • _wcscmp.LIBCMT ref: 00C99479
                  • Part of subcall function 00C999BE: _wcscmp.LIBCMT ref: 00C99AAE
                  • Part of subcall function 00C999BE: _wcscmp.LIBCMT ref: 00C99AC1
                • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C996DC
                • _wcsncpy.LIBCMT ref: 00C9974F
                • DeleteFileW.KERNEL32(?,?), ref: 00C99785
                • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C9979B
                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C997AC
                • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C997BE
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                • String ID:
                • API String ID: 1500180987-0
                • Opcode ID: a6ff8f70b4e0fd55912a14ec67ca233d2854c3c5c8188eedbd665c2ed0c2e902
                • Instruction ID: 1b2824bf0a3daf5618f4e8b86f70ea2aaac1e689171b2b6d10b4d72e0cb9d6b0
                • Opcode Fuzzy Hash: a6ff8f70b4e0fd55912a14ec67ca233d2854c3c5c8188eedbd665c2ed0c2e902
                • Instruction Fuzzy Hash: F7C12BB1D00229AADF25DF99CC85ADEB7BDEF45300F0040AAF609E7151DB319A849F65
                Function 00C3302C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 63windowregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetSysColorBrush.USER32(0000000F), ref: 00C33074
                • RegisterClassExW.USER32(00000030), ref: 00C3309E
                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C330AF
                • InitCommonControlsEx.COMCTL32(?), ref: 00C330CC
                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C330DC
                • LoadIconW.USER32(000000A9), ref: 00C330F2
                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C33101
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                • API String ID: 2914291525-1005189915
                • Opcode ID: 6773a5f7e03d149ba3029d947aafddcd982803de2313a4922c71cf01c4468ded
                • Instruction ID: 9e08b0c87941b24fe362ddea58c7aa95c18cc141b83b7ea1aabdff2d075b04ed
                • Opcode Fuzzy Hash: 6773a5f7e03d149ba3029d947aafddcd982803de2313a4922c71cf01c4468ded
                • Instruction Fuzzy Hash: 9121F3B1940209AFDB509FA4EC88BDDBBF4FB08320F10462EE590A62A0D7B54582CF91
                Function 00C33041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetSysColorBrush.USER32(0000000F), ref: 00C33074
                • RegisterClassExW.USER32(00000030), ref: 00C3309E
                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C330AF
                • InitCommonControlsEx.COMCTL32(?), ref: 00C330CC
                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C330DC
                • LoadIconW.USER32(000000A9), ref: 00C330F2
                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C33101
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                • API String ID: 2914291525-1005189915
                • Opcode ID: 97ef7ced5d2dbee8e19f204d016ca6c0d9f1d9a9fd2e57f63bf06a37a7ea8331
                • Instruction ID: 6bc279279fd870ea9ee96556dd0a68f3d8410152cfed1394b927b5b0faee5220
                • Opcode Fuzzy Hash: 97ef7ced5d2dbee8e19f204d016ca6c0d9f1d9a9fd2e57f63bf06a37a7ea8331
                • Instruction Fuzzy Hash: 3721B2B1950218AFDB00DFA4EC89BADBBF4FB08750F10422EF910A63A0DBB14545CF92
                Function 00C371EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 00C34864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CF62F8,?,00C337C0,?), ref: 00C34882
                  • Part of subcall function 00C5074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00C372C5), ref: 00C50771
                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C37308
                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C6ECF1
                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C6ED32
                • RegCloseKey.ADVAPI32(?), ref: 00C6ED70
                • _wcscat.LIBCMT ref: 00C6EDC9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                • API String ID: 2673923337-2727554177
                • Opcode ID: a3a6f72181bff7dbb4f8885a9e316010ecb314d6610f317eba13b6628871ec53
                • Instruction ID: 7d2b507f8feec6601f6bb06f145b4722126dbab3ea7c35fd386d4f4a73f98126
                • Opcode Fuzzy Hash: a3a6f72181bff7dbb4f8885a9e316010ecb314d6610f317eba13b6628871ec53
                • Instruction Fuzzy Hash: A0714CB14183019EC724EF69EC81AAFB7F8FF59350F44062EF455972A0DB309949DB52
                Function 00C33A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetSysColorBrush.USER32(0000000F), ref: 00C33A62
                • LoadCursorW.USER32(00000000,00007F00), ref: 00C33A71
                • LoadIconW.USER32(00000063), ref: 00C33A88
                • LoadIconW.USER32(000000A4), ref: 00C33A9A
                • LoadIconW.USER32(000000A2), ref: 00C33AAC
                • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C33AD2
                • RegisterClassExW.USER32(?), ref: 00C33B28
                  • Part of subcall function 00C33041: GetSysColorBrush.USER32(0000000F), ref: 00C33074
                  • Part of subcall function 00C33041: RegisterClassExW.USER32(00000030), ref: 00C3309E
                  • Part of subcall function 00C33041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C330AF
                  • Part of subcall function 00C33041: InitCommonControlsEx.COMCTL32(?), ref: 00C330CC
                  • Part of subcall function 00C33041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C330DC
                  • Part of subcall function 00C33041: LoadIconW.USER32(000000A9), ref: 00C330F2
                  • Part of subcall function 00C33041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C33101
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                • String ID: #$0$AutoIt v3
                • API String ID: 423443420-4155596026
                • Opcode ID: 0a7088d6d9fdbeb917a3ddc8e706a014023e8e6b2a8749f92a7fb1188d301d1e
                • Instruction ID: 113b63f5dbe9882becc800a531e1c0945b78fff34a17be6fe210f9f8f8ad1897
                • Opcode Fuzzy Hash: 0a7088d6d9fdbeb917a3ddc8e706a014023e8e6b2a8749f92a7fb1188d301d1e
                • Instruction Fuzzy Hash: B1216D70D10304AFEB109FA4EC09BAD7FB4FB08725F10026AF504A63A0D7B65654DF85
                Function 00C33633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 767 c33633-c33681 769 c33683-c33686 767->769 770 c336e1-c336e3 767->770 771 c336e7 769->771 772 c33688-c3368f 769->772 770->769 773 c336e5 770->773 777 c6d31c-c6d34a call c411d0 call c411f3 771->777 778 c336ed-c336f0 771->778 774 c33695-c3369a 772->774 775 c3375d-c33765 PostQuitMessage 772->775 776 c336ca-c336d2 DefWindowProcW 773->776 779 c336a0-c336a2 774->779 780 c6d38f-c6d3a3 call c92a16 774->780 783 c33711-c33713 775->783 782 c336d8-c336de 776->782 814 c6d34f-c6d356 777->814 784 c336f2-c336f3 778->784 785 c33715-c3373c SetTimer RegisterWindowMessageW 778->785 786 c33767-c33776 call c34531 779->786 787 c336a8-c336ad 779->787 780->783 805 c6d3a9 780->805 783->782 791 c6d2bf-c6d2c2 784->791 792 c336f9-c3370c KillTimer call c344cb call c33114 784->792 785->783 788 c3373e-c33749 CreatePopupMenu 785->788 786->783 794 c336b3-c336b8 787->794 795 c6d374-c6d37b 787->795 788->783 799 c6d2c4-c6d2c6 791->799 800 c6d2f8-c6d317 MoveWindow 791->800 792->783 803 c3374b-c3375b call c345df 794->803 804 c336be-c336c4 794->804 795->776 802 c6d381-c6d38a call c8817e 795->802 808 c6d2e7-c6d2f3 SetFocus 799->808 809 c6d2c8-c6d2cb 799->809 800->783 802->776 803->783 804->776 804->814 805->776 808->783 809->804 810 c6d2d1-c6d2e2 call c411d0 809->810 810->783 814->776 818 c6d35c-c6d36f call c344cb call c343db 814->818 818->776
                APIs
                • DefWindowProcW.USER32(?,?,?,?), ref: 00C336D2
                • KillTimer.USER32(?,00000001), ref: 00C336FC
                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C3371F
                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C3372A
                • CreatePopupMenu.USER32 ref: 00C3373E
                • PostQuitMessage.USER32(00000000), ref: 00C3375F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                • String ID: TaskbarCreated
                • API String ID: 129472671-2362178303
                • Opcode ID: 5c3287507562b8ceed0ec6c3c3fe5bbda2f597db607d9601679604419f9ba4a7
                • Instruction ID: 983d3f8585e26a058c557b3cabf6c0b7c949fc50fe8716ae5e0d1f765998334e
                • Opcode Fuzzy Hash: 5c3287507562b8ceed0ec6c3c3fe5bbda2f597db607d9601679604419f9ba4a7
                • Instruction Fuzzy Hash: 8B41F8B2620185BBDF246F38DD4AB7D3765FB41340F14022DFA12963A1DA60AF41E7A2
                Function 00C33778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                Download Yara Rule

                Control-flow Graph

                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                • API String ID: 1825951767-3513169116
                • Opcode ID: fc6fb38a1ddcbf081f6557783833e97972079524a4364a8e6fe0e65b6de21b2b
                • Instruction ID: d54cc4022d8211d8f65a996f25d672630c122851a0ddfa51bd75a24f2d870509
                • Opcode Fuzzy Hash: fc6fb38a1ddcbf081f6557783833e97972079524a4364a8e6fe0e65b6de21b2b
                • Instruction Fuzzy Hash: 5AA13C72D2026D9ACF14EBA4CC95AFEB778BF14300F44052AF412B7191DF74AA09EB61
                Function 015DEDC0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 942 15dedc0-15dee6e call 15dc7c0 945 15dee75-15dee9b call 15dfcd0 CreateFileW 942->945 948 15dee9d 945->948 949 15deea2-15deeb2 945->949 950 15defed-15deff1 948->950 957 15deeb9-15deed3 VirtualAlloc 949->957 958 15deeb4 949->958 951 15df033-15df036 950->951 952 15deff3-15deff7 950->952 954 15df039-15df040 951->954 955 15deff9-15deffc 952->955 956 15df003-15df007 952->956 959 15df095-15df0aa 954->959 960 15df042-15df04d 954->960 955->956 961 15df009-15df013 956->961 962 15df017-15df01b 956->962 963 15deeda-15deef1 ReadFile 957->963 964 15deed5 957->964 958->950 967 15df0ac-15df0b7 VirtualFree 959->967 968 15df0ba-15df0c2 959->968 965 15df04f 960->965 966 15df051-15df05d 960->966 961->962 969 15df01d-15df027 962->969 970 15df02b 962->970 971 15deef8-15def38 VirtualAlloc 963->971 972 15deef3 963->972 964->950 965->959 975 15df05f-15df06f 966->975 976 15df071-15df07d 966->976 967->968 969->970 970->951 973 15def3f-15def5a call 15dff20 971->973 974 15def3a 971->974 972->950 982 15def65-15def6f 973->982 974->950 978 15df093 975->978 979 15df07f-15df088 976->979 980 15df08a-15df090 976->980 978->954 979->978 980->978 983 15def71-15defa0 call 15dff20 982->983 984 15defa2-15defb6 call 15dfd30 982->984 983->982 990 15defb8 984->990 991 15defba-15defbe 984->991 990->950 992 15defca-15defce 991->992 993 15defc0-15defc4 CloseHandle 991->993 994 15defde-15defe7 992->994 995 15defd0-15defdb VirtualFree 992->995 993->992 994->945 994->950 995->994
                APIs
                • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 015DEE91
                • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 015DF0B7
                Memory Dump Source
                • Source File: 00000000.00000002.2159501042.00000000015DC000.00000040.00000020.00020000.00000000.sdmp, Offset: 015DC000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_15dc000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CreateFileFreeVirtual
                • String ID:
                • API String ID: 204039940-0
                • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                • Instruction ID: 4acdd13848c4c1a4f3e7af231e41d124ff8b2f74ae6f54cb5f4a87199b545522
                • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                • Instruction Fuzzy Hash: 1CA10A70E00209EBDB24CFA8C895BEEBBB5FF48704F108599E516BB280D7759A41CF94
                Function 00C339E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1073 c339e7-c33a57 CreateWindowExW * 2 ShowWindow * 2
                APIs
                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C33A15
                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C33A36
                • ShowWindow.USER32(00000000,?,?), ref: 00C33A4A
                • ShowWindow.USER32(00000000,?,?), ref: 00C33A53
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Window$CreateShow
                • String ID: AutoIt v3$edit
                • API String ID: 1584632944-3779509399
                • Opcode ID: eecb1d8a9b2188cf9d93b521b3b0c6789b8d78d8c2659d757f675dcd26356948
                • Instruction ID: c84ef990d1580aa81a34f8c592246854314cc25f2b0fad95e5ec09f9f58a445c
                • Opcode Fuzzy Hash: eecb1d8a9b2188cf9d93b521b3b0c6789b8d78d8c2659d757f675dcd26356948
                • Instruction Fuzzy Hash: 90F0DA716412907EEA311B2B6C4DF7B7E7DD7C6F50F11412EB904A2270C6A51851DAB1
                Function 015DEB70 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1074 15deb70-15decb6 call 15dc7c0 call 15dea60 CreateFileW 1081 15decbd-15deccd 1074->1081 1082 15decb8 1074->1082 1085 15deccf 1081->1085 1086 15decd4-15decee VirtualAlloc 1081->1086 1083 15ded6d-15ded72 1082->1083 1085->1083 1087 15decf0 1086->1087 1088 15decf2-15ded09 ReadFile 1086->1088 1087->1083 1089 15ded0d-15ded47 call 15deaa0 call 15dda60 1088->1089 1090 15ded0b 1088->1090 1095 15ded49-15ded5e call 15deaf0 1089->1095 1096 15ded63-15ded6b ExitProcess 1089->1096 1090->1083 1095->1096 1096->1083
                APIs
                  • Part of subcall function 015DEA60: Sleep.KERNELBASE(000001F4), ref: 015DEA71
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 015DECAC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2159501042.00000000015DC000.00000040.00000020.00020000.00000000.sdmp, Offset: 015DC000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_15dc000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CreateFileSleep
                • String ID: CY8ZSXQ74IRQQ01361XLFZ74T
                • API String ID: 2694422964-2074028006
                • Opcode ID: 3d7773fb3851a868dc340c19b4009f0d748b44bb4546f5f8bf4be67b42b3ba57
                • Instruction ID: 0228db7b88ecea7871969a0143d634eb8d744f7b6e72ada2a1016852528a7b2c
                • Opcode Fuzzy Hash: 3d7773fb3851a868dc340c19b4009f0d748b44bb4546f5f8bf4be67b42b3ba57
                • Instruction Fuzzy Hash: B051A330D04289DAEF21D7A8C849BDEBBB9AF15304F044199E6487F2C1D6B91B49CB62
                Function 00C3410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1098 c3410d-c34123 1099 c34200-c34204 1098->1099 1100 c34129-c3413e call c37b76 1098->1100 1103 c34144-c34164 call c37d2c 1100->1103 1104 c6d5dd-c6d5ec LoadStringW 1100->1104 1107 c6d5f7-c6d60f call c37c8e call c37143 1103->1107 1108 c3416a-c3416e 1103->1108 1104->1107 1117 c3417e-c341fb call c53020 call c3463e call c52ffc Shell_NotifyIconW call c35a64 1107->1117 1120 c6d615-c6d633 call c37e0b call c37143 call c37e0b 1107->1120 1110 c34205-c3420e call c381a7 1108->1110 1111 c34174-c34179 call c37c8e 1108->1111 1110->1117 1111->1117 1117->1099 1120->1117
                APIs
                • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C6D5EC
                  • Part of subcall function 00C37D2C: _memmove.LIBCMT ref: 00C37D66
                • _memset.LIBCMT ref: 00C3418D
                • _wcscpy.LIBCMT ref: 00C341E1
                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C341F1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                • String ID: Line:
                • API String ID: 3942752672-1585850449
                • Opcode ID: 866e7bcf334e75e727212cf146edfa89897888ed66750772bd9e0a419d56cd39
                • Instruction ID: 3b96eb5a50df3df86618c2d77591eccefb32b12a09cd9eb806de7dec4d90650d
                • Opcode Fuzzy Hash: 866e7bcf334e75e727212cf146edfa89897888ed66750772bd9e0a419d56cd39
                • Instruction Fuzzy Hash: 7C31E0B2418304AED335EB60DC46FEF77E8AF44300F10462EF595921A1EB74A648DB97
                Function 00C369CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1133 c369ca-c369f1 call c34f3d 1136 c369f7-c36a05 call c34f3d 1133->1136 1137 c6e45a-c6e46a call c997e5 1133->1137 1136->1137 1144 c36a0b-c36a11 1136->1144 1140 c6e46f-c6e471 1137->1140 1142 c6e473-c6e476 call c34faa 1140->1142 1143 c6e490-c6e4d8 call c50ff6 1140->1143 1146 c6e47b-c6e48a call c94534 1142->1146 1154 c6e4fd 1143->1154 1155 c6e4da-c6e4e4 1143->1155 1145 c36a17-c36a39 call c36bec 1144->1145 1144->1146 1146->1143 1157 c6e4ff-c6e512 1154->1157 1156 c6e4f8-c6e4f9 1155->1156 1158 c6e4e6-c6e4f5 1156->1158 1159 c6e4fb 1156->1159 1160 c6e518 1157->1160 1161 c6e689-c6e68c call c52f95 1157->1161 1158->1156 1159->1157 1163 c6e51f-c6e522 call c375e0 1160->1163 1164 c6e691-c6e69a call c34faa 1161->1164 1167 c6e527-c6e549 call c35f12 call c9768b 1163->1167 1170 c6e69c-c6e6ac call c37776 call c35efb 1164->1170 1177 c6e55d-c6e567 call c97675 1167->1177 1178 c6e54b-c6e558 1167->1178 1186 c6e6b1-c6e6e1 call c8fcb1 call c5106c call c52f95 call c34faa 1170->1186 1184 c6e581-c6e58b call c9765f 1177->1184 1185 c6e569-c6e57c 1177->1185 1180 c6e650-c6e660 call c3766f 1178->1180 1180->1167 1190 c6e666-c6e683 call c374bd 1180->1190 1194 c6e59f-c6e5a9 call c35f8a 1184->1194 1195 c6e58d-c6e59a 1184->1195 1185->1180 1186->1170 1190->1161 1190->1163 1194->1180 1203 c6e5af-c6e5c7 call c8fc4d 1194->1203 1195->1180 1208 c6e5ea-c6e5ed 1203->1208 1209 c6e5c9-c6e5e8 call c37f41 call c35a64 1203->1209 1210 c6e5ef-c6e60a call c37f41 call c36999 call c35a64 1208->1210 1211 c6e61b-c6e61e 1208->1211 1232 c6e60b-c6e619 call c35f12 1209->1232 1210->1232 1215 c6e620-c6e629 call c8fb6e 1211->1215 1216 c6e63e-c6e641 call c97621 1211->1216 1215->1186 1225 c6e62f-c6e639 call c5106c 1215->1225 1223 c6e646-c6e64f call c5106c 1216->1223 1223->1180 1225->1167 1232->1223
                APIs
                  • Part of subcall function 00C34F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CF62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C34F6F
                • _free.LIBCMT ref: 00C6E68C
                • _free.LIBCMT ref: 00C6E6D3
                  • Part of subcall function 00C36BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C36D0D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _free$CurrentDirectoryLibraryLoad
                • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                • API String ID: 2861923089-1757145024
                • Opcode ID: 597f8caffed4a81e88534003c8dbe6b44ae8b97e48ff42cd78ad0efab98c976b
                • Instruction ID: bb3ccea3b6da2fc53bf57f786d91d0ec1a2f3be5585d45d33316391f94d68b29
                • Opcode Fuzzy Hash: 597f8caffed4a81e88534003c8dbe6b44ae8b97e48ff42cd78ad0efab98c976b
                • Instruction Fuzzy Hash: 85918F75920219EFCF14EFA4CC919EDB7B4FF18314F14456AF816AB291EB30AA05DB60
                Function 00C335B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00C335A1,SwapMouseButtons,00000004,?), ref: 00C335D4
                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00C335A1,SwapMouseButtons,00000004,?,?,?,?,00C32754), ref: 00C335F5
                • RegCloseKey.KERNELBASE(00000000,?,?,00C335A1,SwapMouseButtons,00000004,?,?,?,?,00C32754), ref: 00C33617
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CloseOpenQueryValue
                • String ID: Control Panel\Mouse
                • API String ID: 3677997916-824357125
                • Opcode ID: 580f8d1d753a51bd7cc8117da62d7dbe50dbfe5e65d6cbcc44f27d49db87dd17
                • Instruction ID: 179f0d585468abc437d1e7fd0666b4225da2b4ba7b719523ceb12d454f0ac6f1
                • Opcode Fuzzy Hash: 580f8d1d753a51bd7cc8117da62d7dbe50dbfe5e65d6cbcc44f27d49db87dd17
                • Instruction Fuzzy Hash: 05114871920248BFDB209F65EC41AEEB7BCFF04740F004569F805D7210D2719F4197A4
                Function 015DDA60 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                Download Yara Rule
                APIs
                • CreateProcessW.KERNELBASE(?,00000000), ref: 015DE21B
                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 015DE2B1
                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 015DE2D3
                Memory Dump Source
                • Source File: 00000000.00000002.2159501042.00000000015DC000.00000040.00000020.00020000.00000000.sdmp, Offset: 015DC000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_15dc000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Process$ContextCreateMemoryReadThreadWow64
                • String ID:
                • API String ID: 2438371351-0
                • Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                • Instruction ID: 88ba27b30a332b1573f31c2943d0d4d796d5e492c201bd9304ac3546012cd4b1
                • Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                • Instruction Fuzzy Hash: A2620A30A14658DBEB24CFA8C851BDEB772FF58300F1095A9D10DEB290E7769E81CB59
                Function 00C997E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C35045: _fseek.LIBCMT ref: 00C3505D
                  • Part of subcall function 00C999BE: _wcscmp.LIBCMT ref: 00C99AAE
                  • Part of subcall function 00C999BE: _wcscmp.LIBCMT ref: 00C99AC1
                • _free.LIBCMT ref: 00C9992C
                • _free.LIBCMT ref: 00C99933
                • _free.LIBCMT ref: 00C9999E
                  • Part of subcall function 00C52F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00C59C64), ref: 00C52FA9
                  • Part of subcall function 00C52F95: GetLastError.KERNEL32(00000000,?,00C59C64), ref: 00C52FBB
                • _free.LIBCMT ref: 00C999A6
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                • String ID:
                • API String ID: 1552873950-0
                • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                • Instruction ID: 0ef39bc098cbbd5f0f7cbf2e174a09ac25768a9e11c74105f6b38ebed0a69ca4
                • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                • Instruction Fuzzy Hash: 4E5160B1D04218AFDF249F64DC85A9EBBB9EF48310F1004AEF609A7281DB715E80DF58
                Function 00C5493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                • String ID:
                • API String ID: 2782032738-0
                • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                • Instruction ID: fa5a50fdf952a970c33c2cc3dfa6245d7210a765a5d4806b60913d19abe5f69e
                • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                • Instruction Fuzzy Hash: 2341C77C6006069BDB2C8E69C8819AF77A9EF8035AB14812DEC6587640D7709EC9974C
                Function 00C373E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00C6EE62
                • GetOpenFileNameW.COMDLG32(?), ref: 00C6EEAC
                  • Part of subcall function 00C348AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C348A1,?,?,00C337C0,?), ref: 00C348CE
                  • Part of subcall function 00C509D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C509F4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Name$Path$FileFullLongOpen_memset
                • String ID: X
                • API String ID: 3777226403-3081909835
                • Opcode ID: b0f0785287aaddcc7aaca9edd8719d3f9f44c0688cd14e796ef3dd9ddc64b483
                • Instruction ID: b6d820f151ea4ce9af15cb9fc536fa9057de86500b1aff8cccbe4095f1628262
                • Opcode Fuzzy Hash: b0f0785287aaddcc7aaca9edd8719d3f9f44c0688cd14e796ef3dd9ddc64b483
                • Instruction Fuzzy Hash: 8021D5B1A102989BCF11DF94CC45BEE7BF89F49305F04405AE808E7281DBB45A89DFA1
                Function 00C99B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                Download Yara Rule
                APIs
                • GetTempPathW.KERNEL32(00000104,?), ref: 00C99B82
                • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00C99B99
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Temp$FileNamePath
                • String ID: aut
                • API String ID: 3285503233-3010740371
                • Opcode ID: 0d6ef23e654ef2fcb5fa8e1308b144b0689c177fce36d004d637a47d09b6ea6a
                • Instruction ID: 30ce0867df623bbd5e1728bae4f21ce2201ab9a472ee75a98ee1000b6293ab7f
                • Opcode Fuzzy Hash: 0d6ef23e654ef2fcb5fa8e1308b144b0689c177fce36d004d637a47d09b6ea6a
                • Instruction Fuzzy Hash: 79D05E7954030DABDB209B94DC0EF9A772CEB04700F0042B1BF94922A1DEB069998B92
                Function 00CACDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5556fe594400c8a00bff4de00566d408c947892b885f363a6b6d94898d63b6b9
                • Instruction ID: 95e6aa95f3f47484669c845d5c1a63f0bb8b5d01e3db8999cf83d69b7d714baf
                • Opcode Fuzzy Hash: 5556fe594400c8a00bff4de00566d408c947892b885f363a6b6d94898d63b6b9
                • Instruction Fuzzy Hash: 5BF13A715083019FCB14DF28C484A6ABBE5FF89318F14896EF8AA9B351D771E945CF82
                Function 00C3F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C503A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C503D3
                  • Part of subcall function 00C503A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C503DB
                  • Part of subcall function 00C503A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C503E6
                  • Part of subcall function 00C503A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C503F1
                  • Part of subcall function 00C503A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C503F9
                  • Part of subcall function 00C503A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C50401
                  • Part of subcall function 00C46259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00C3FA90), ref: 00C462B4
                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C3FB2D
                • OleInitialize.OLE32(00000000), ref: 00C3FBAA
                • CloseHandle.KERNEL32(00000000), ref: 00C749F2
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                • String ID:
                • API String ID: 1986988660-0
                • Opcode ID: 32098a059353288a4685aaa3229c0d433879d816dc7f6f970ba9d848bd50e3f8
                • Instruction ID: 4003af0ee584e0e4aa6949db36221c174628ed839d4eb2396ca0b8e005f8acaa
                • Opcode Fuzzy Hash: 32098a059353288a4685aaa3229c0d433879d816dc7f6f970ba9d848bd50e3f8
                • Instruction Fuzzy Hash: 2C8184F09052408ECB94EF3AE955779BEF4EB99308710862EE519C7272EB318809DF13
                Function 00C343DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00C34401
                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C344A6
                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C344C3
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: IconNotifyShell_$_memset
                • String ID:
                • API String ID: 1505330794-0
                • Opcode ID: 75f0a78102875fafdfb0a9e6b6bf04e1747f78430850096ea6ae6d9fe0ebce94
                • Instruction ID: 832bc7a76c0bea948c593c95f906d03da33aebdcb432d6cbb7184b7b087bbdcc
                • Opcode Fuzzy Hash: 75f0a78102875fafdfb0a9e6b6bf04e1747f78430850096ea6ae6d9fe0ebce94
                • Instruction Fuzzy Hash: 64315EB15147019FD725DF24D8847ABBBF8BB48308F00093EF59A83251E775AA48CB92
                Function 00C5594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • __FF_MSGBANNER.LIBCMT ref: 00C55963
                  • Part of subcall function 00C5A3AB: __NMSG_WRITE.LIBCMT ref: 00C5A3D2
                  • Part of subcall function 00C5A3AB: __NMSG_WRITE.LIBCMT ref: 00C5A3DC
                • __NMSG_WRITE.LIBCMT ref: 00C5596A
                  • Part of subcall function 00C5A408: GetModuleFileNameW.KERNEL32(00000000,00CF43BA,00000104,?,00000001,00000000), ref: 00C5A49A
                  • Part of subcall function 00C5A408: ___crtMessageBoxW.LIBCMT ref: 00C5A548
                  • Part of subcall function 00C532DF: ___crtCorExitProcess.LIBCMT ref: 00C532E5
                  • Part of subcall function 00C532DF: ExitProcess.KERNEL32 ref: 00C532EE
                  • Part of subcall function 00C58D68: __getptd_noexit.LIBCMT ref: 00C58D68
                • RtlAllocateHeap.NTDLL(015A0000,00000000,00000001,00000000,?,?,?,00C51013,?), ref: 00C5598F
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                • String ID:
                • API String ID: 1372826849-0
                • Opcode ID: c8ffee1c1ebc350b63ef21938c6515ba648eb100193a7d8024de133c29b9b9cb
                • Instruction ID: 7c1232ab86da67ec04848114aaf8b491e1d057805468f637410ebef50d3eba10
                • Opcode Fuzzy Hash: c8ffee1c1ebc350b63ef21938c6515ba648eb100193a7d8024de133c29b9b9cb
                • Instruction Fuzzy Hash: D601F93D304B12DED615276ADC6276E73989F51773F10012AFC10AA1C1DE749ECBA26D
                Function 00C99B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00C997D2,?,?,?,?,?,00000004), ref: 00C99B45
                • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00C997D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00C99B5B
                • CloseHandle.KERNEL32(00000000,?,00C997D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C99B62
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: File$CloseCreateHandleTime
                • String ID:
                • API String ID: 3397143404-0
                • Opcode ID: 530352aa3225fa9311aa221ada52c537171d60aa8ec031926b7ef7b410ca2580
                • Instruction ID: 4c8adf70141ebf8677d6361fdf7cf4badf2cf24620576766709304343a9f3faf
                • Opcode Fuzzy Hash: 530352aa3225fa9311aa221ada52c537171d60aa8ec031926b7ef7b410ca2580
                • Instruction Fuzzy Hash: 29E08632180224B7EB311B58EC09FDE7B58EB05775F144224FB24791E0C7B12A129798
                Function 00C98F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00C98FA5
                  • Part of subcall function 00C52F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00C59C64), ref: 00C52FA9
                  • Part of subcall function 00C52F95: GetLastError.KERNEL32(00000000,?,00C59C64), ref: 00C52FBB
                • _free.LIBCMT ref: 00C98FB6
                • _free.LIBCMT ref: 00C98FC8
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                • Instruction ID: 5a78947d9c5496c70d72b05f47a25f197013ba6d4387c31704f03a6869da4b17
                • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                • Instruction Fuzzy Hash: 67E0C2A12087104ACE20A5F8BD04A8317EE0F4A351B08080DB819DB142DE24E988A028
                Function 00C3AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID:
                • String ID: CALL
                • API String ID: 0-4196123274
                • Opcode ID: faf97e717ec1fdfeb7cdc60e37b17d066ef942606dad637e6a2e0c5dbd717653
                • Instruction ID: c3bdbc711212e3bef32bfce45820d55dde3e1edad84e3b2572c7004d0a497fa0
                • Opcode Fuzzy Hash: faf97e717ec1fdfeb7cdc60e37b17d066ef942606dad637e6a2e0c5dbd717653
                • Instruction Fuzzy Hash: DE225774518241CFCB28DF15C494B6ABBE1FF88304F24895DE89A8B362D731ED95DB82
                Function 00C34DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _memmove
                • String ID: EA06
                • API String ID: 4104443479-3962188686
                • Opcode ID: d092a06aec2a852cbead49a4d1694e3bfa99dbb01111be82a8a985d64386346f
                • Instruction ID: 21a12553acac244b60c8cf85aa4619e2f7f86468cf1a6a97f8340ae837ce0846
                • Opcode Fuzzy Hash: d092a06aec2a852cbead49a4d1694e3bfa99dbb01111be82a8a985d64386346f
                • Instruction Fuzzy Hash: 68417E71A241586BDF295F64C8917BEFFA6EF05300F284075FC829B282C631AE8497E1
                Function 00C37BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _memmove
                • String ID:
                • API String ID: 4104443479-0
                • Opcode ID: df870c23fbde8e4f9843c2a84841b3166521e4e91936f8862c7bbe31475a473a
                • Instruction ID: 9c1d58dae7c90af9c4394dbad90bdb293bf6bec9ed06579128fdf36fad4cc644
                • Opcode Fuzzy Hash: df870c23fbde8e4f9843c2a84841b3166521e4e91936f8862c7bbe31475a473a
                • Instruction Fuzzy Hash: B831E5F1614506AFC724DF68D8D1E6AF3A9FF48310B158729E925CB291DB70E960CB90
                Function 00C3492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                Download Yara Rule
                APIs
                • IsThemeActive.UXTHEME ref: 00C34992
                  • Part of subcall function 00C535AC: __lock.LIBCMT ref: 00C535B2
                  • Part of subcall function 00C535AC: DecodePointer.KERNEL32(00000001,?,00C349A7,00C881BC), ref: 00C535BE
                  • Part of subcall function 00C535AC: EncodePointer.KERNEL32(?,?,00C349A7,00C881BC), ref: 00C535C9
                  • Part of subcall function 00C34A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C34A73
                  • Part of subcall function 00C34A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C34A88
                  • Part of subcall function 00C33B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C33B7A
                  • Part of subcall function 00C33B4C: IsDebuggerPresent.KERNEL32 ref: 00C33B8C
                  • Part of subcall function 00C33B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00CF62F8,00CF62E0,?,?), ref: 00C33BFD
                  • Part of subcall function 00C33B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00C33C81
                • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C349D2
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                • String ID:
                • API String ID: 1438897964-0
                • Opcode ID: 67d2a2a9bd6a07bef770403796ea7c3f77527f5ba21e9bdba6abdada5ae42c89
                • Instruction ID: aa2ab73f6dfd2b47575641e9ef165691e4706e66933fa41ab9cae5942c93bb51
                • Opcode Fuzzy Hash: 67d2a2a9bd6a07bef770403796ea7c3f77527f5ba21e9bdba6abdada5ae42c89
                • Instruction Fuzzy Hash: 47116A719183119BC300EF29DC05B1EFFE8EB94710F00461EF485872A1DBB09659DB96
                Function 00C50FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00C5594C: __FF_MSGBANNER.LIBCMT ref: 00C55963
                  • Part of subcall function 00C5594C: __NMSG_WRITE.LIBCMT ref: 00C5596A
                  • Part of subcall function 00C5594C: RtlAllocateHeap.NTDLL(015A0000,00000000,00000001,00000000,?,?,?,00C51013,?), ref: 00C5598F
                • std::exception::exception.LIBCMT ref: 00C5102C
                • __CxxThrowException@8.LIBCMT ref: 00C51041
                  • Part of subcall function 00C587DB: RaiseException.KERNEL32(?,?,?,00CEBAF8,00000000,?,?,?,?,00C51046,?,00CEBAF8,?,00000001), ref: 00C58830
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                • String ID:
                • API String ID: 3902256705-0
                • Opcode ID: 74ae88452eae5e3f568f6c41c3836a4a5bb882ea340bfaca4cb67e4d6a79e05a
                • Instruction ID: 7e29ba6199deb7517df6c4364faf9bb2ae8747b7b9f8c92f44905faf7c93f27a
                • Opcode Fuzzy Hash: 74ae88452eae5e3f568f6c41c3836a4a5bb882ea340bfaca4cb67e4d6a79e05a
                • Instruction Fuzzy Hash: 9CF0A97D500259A6CB21BA54DC05ADF77A89F00362F140465FC15A5591DF718BCCE2D8
                Function 00C555D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00C58D68: __getptd_noexit.LIBCMT ref: 00C58D68
                • __lock_file.LIBCMT ref: 00C5561B
                  • Part of subcall function 00C56E4E: __lock.LIBCMT ref: 00C56E71
                • __fclose_nolock.LIBCMT ref: 00C55626
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                • String ID:
                • API String ID: 2800547568-0
                • Opcode ID: d9802f9f6d057ebbc0c01883cf14ad3bf604dc2ff8756d7a846a3038b2bcc472
                • Instruction ID: 74f2c42696def89e57ad1f43f1952ecd9450864062b7e9f71beb5e387ac18adf
                • Opcode Fuzzy Hash: d9802f9f6d057ebbc0c01883cf14ad3bf604dc2ff8756d7a846a3038b2bcc472
                • Instruction Fuzzy Hash: 07F0F679800A409AD7206B76880276E76A11F00332F644205FC20AB2D1CF7C8A8DAB4D
                Function 015DDA5D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                Download Yara Rule
                APIs
                • CreateProcessW.KERNELBASE(?,00000000), ref: 015DE21B
                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 015DE2B1
                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 015DE2D3
                Memory Dump Source
                • Source File: 00000000.00000002.2159501042.00000000015DC000.00000040.00000020.00020000.00000000.sdmp, Offset: 015DC000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_15dc000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Process$ContextCreateMemoryReadThreadWow64
                • String ID:
                • API String ID: 2438371351-0
                • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                • Instruction ID: 57f552e25e7b4c478aff1034cb60c0d2ac6c30de82e9033ce8e4429d725ed6fd
                • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                • Instruction Fuzzy Hash: 7412BE24E18658C6EB24DF64D8507DEB232FF68300F1094E9910DEB7A5E77A4E81CF5A
                Function 00C50E48 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                • Instruction ID: 03fce7f2cbf818fcc99d19a0090ab3bde2375ea1a54761d41812a6fc5c291a4b
                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                • Instruction Fuzzy Hash: 00310578A00106DFC718DF49C482969F7A6FF59301B388AA5E84ACB651D770EEC5CBC8
                Function 00C700D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ClearVariant
                • String ID:
                • API String ID: 1473721057-0
                • Opcode ID: 59d9479eb8ac95f64202cf352313f1515f284f825a09222022c8785961091775
                • Instruction ID: 10f3539c4c28aab78aeb769f4b11be8bca7f0b6c5b78283a5a8bcdfa2010f4f3
                • Opcode Fuzzy Hash: 59d9479eb8ac95f64202cf352313f1515f284f825a09222022c8785961091775
                • Instruction Fuzzy Hash: 60411774618351CFDB24DF14C484B1ABBE0BF45318F1988ACE99A8B362C332EC95CB52
                Function 00C37CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _memmove
                • String ID:
                • API String ID: 4104443479-0
                • Opcode ID: 49765081eb2202ce80cf2e69ac8999d2eb6bd111d27fbda6b95ce9016d99e3dc
                • Instruction ID: 02e71d6b6e6fe7e4f18fd1b7717550175b46acf5fe4f21bf033b11279d499cbe
                • Opcode Fuzzy Hash: 49765081eb2202ce80cf2e69ac8999d2eb6bd111d27fbda6b95ce9016d99e3dc
                • Instruction Fuzzy Hash: C52121B1614609EBDB208F25FC8277E7BB8FF10390F21856EE886C9091EB3095D1E705
                Function 00C34F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C34D13: FreeLibrary.KERNEL32(00000000,?), ref: 00C34D4D
                  • Part of subcall function 00C5548B: __wfsopen.LIBCMT ref: 00C55496
                • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CF62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C34F6F
                  • Part of subcall function 00C34CC8: FreeLibrary.KERNEL32(00000000), ref: 00C34D02
                  • Part of subcall function 00C34DD0: _memmove.LIBCMT ref: 00C34E1A
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Library$Free$Load__wfsopen_memmove
                • String ID:
                • API String ID: 1396898556-0
                • Opcode ID: 01595ac239944792097340149c53727a31e92bf6d997d655f212b0e2533e7a99
                • Instruction ID: 16c753e1aad45bae1e24aa5bf33cea32982d625e5167628e35ad784593858db7
                • Opcode Fuzzy Hash: 01595ac239944792097340149c53727a31e92bf6d997d655f212b0e2533e7a99
                • Instruction Fuzzy Hash: B911E731620205ABCB18BF74DC52BAE77A49F44701F10842DF542A62C1DA71AA15ABA0
                Function 00C701AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ClearVariant
                • String ID:
                • API String ID: 1473721057-0
                • Opcode ID: 2a0f184289fe7b65b82d89071955b6b1e058612d6b2e7194fb686e3eb0319b24
                • Instruction ID: 029a2b23ebcd6db626abc86c1f50861644745b486c61f4eebc3b4be7c457b177
                • Opcode Fuzzy Hash: 2a0f184289fe7b65b82d89071955b6b1e058612d6b2e7194fb686e3eb0319b24
                • Instruction Fuzzy Hash: 5A2122B4518341DFCB24DF14C845B1ABBE0BF88314F09896CF89A47762D731E869DB52
                Function 00C54A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                Download Yara Rule
                APIs
                • __lock_file.LIBCMT ref: 00C54AD6
                  • Part of subcall function 00C58D68: __getptd_noexit.LIBCMT ref: 00C58D68
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: __getptd_noexit__lock_file
                • String ID:
                • API String ID: 2597487223-0
                • Opcode ID: bf10d8a429ac21c95a4808b0f5b703db3deab22d879164a8a25307458eb0d6be
                • Instruction ID: 88f23f8e3924aeab5d927e7313218f4c79168c8449e1864d6deeb600afc7d26e
                • Opcode Fuzzy Hash: bf10d8a429ac21c95a4808b0f5b703db3deab22d879164a8a25307458eb0d6be
                • Instruction Fuzzy Hash: 8AF0A4399402099BDF95AF658C0779F36A5AF0072BF044514FC24AA1D1CB788AD8FF5D
                Function 00C34FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                Download Yara Rule
                APIs
                • FreeLibrary.KERNEL32(?,?,00CF62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C34FDE
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: FreeLibrary
                • String ID:
                • API String ID: 3664257935-0
                • Opcode ID: 541c6e09fa0ebc6bdd079d23912b55db0c5216b0253c4533532263198766180c
                • Instruction ID: ccaeb48132431b1cff6d2200935307a48a086ce5fc3f092dc1de9e0e27e758d3
                • Opcode Fuzzy Hash: 541c6e09fa0ebc6bdd079d23912b55db0c5216b0253c4533532263198766180c
                • Instruction Fuzzy Hash: A2F03971115712CFCB389FA5E894826BBE1BF093297288A3EE5E682610C731A984DF40
                Function 00C509D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                Download Yara Rule
                APIs
                • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C509F4
                  • Part of subcall function 00C37D2C: _memmove.LIBCMT ref: 00C37D66
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: LongNamePath_memmove
                • String ID:
                • API String ID: 2514874351-0
                • Opcode ID: 2f97b58c7505a226b953ac1e733c084c07e40c010f88dbe03d70e6b44893733a
                • Instruction ID: 824afb38046c35df5ae4e56f439f594848dbf41f5793881f45c92196d9358317
                • Opcode Fuzzy Hash: 2f97b58c7505a226b953ac1e733c084c07e40c010f88dbe03d70e6b44893733a
                • Instruction Fuzzy Hash: FBE0CD7690422857C730D6689C05FFA77EDDFC9791F0402B6FC0CD7304D9619C818691
                Function 00C5548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: __wfsopen
                • String ID:
                • API String ID: 197181222-0
                • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                • Instruction ID: 5920976a1ef0a9d906fb151e0f8208dac808facea03bac2d20fb684fb6f4d590
                • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                • Instruction Fuzzy Hash: DBB0927A84020C77DE012E82EC02A693B1A9B40679F808020FF0C28162A673A6A4A689
                Function 015DEA60 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNELBASE(000001F4), ref: 015DEA71
                Memory Dump Source
                • Source File: 00000000.00000002.2159501042.00000000015DC000.00000040.00000020.00020000.00000000.sdmp, Offset: 015DC000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_15dc000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                • Instruction ID: a5bc56a2c46330cc42e04095174adf65722b83d01487c90256b4950844e89946
                • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                • Instruction Fuzzy Hash: F5E0BF7494010E9FDB00EFA8D54969E7BB4FF04301F100261FD0196281D67099508A62

                Non-executed Functions

                Function 00CBCDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C32612: GetWindowLongW.USER32(?,000000EB), ref: 00C32623
                • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00CBCE50
                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CBCE91
                • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00CBCED6
                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CBCF00
                • SendMessageW.USER32 ref: 00CBCF29
                • _wcsncpy.LIBCMT ref: 00CBCFA1
                • GetKeyState.USER32(00000011), ref: 00CBCFC2
                • GetKeyState.USER32(00000009), ref: 00CBCFCF
                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CBCFE5
                • GetKeyState.USER32(00000010), ref: 00CBCFEF
                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CBD018
                • SendMessageW.USER32 ref: 00CBD03F
                • SendMessageW.USER32(?,00001030,?,00CBB602), ref: 00CBD145
                • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00CBD15B
                • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00CBD16E
                • SetCapture.USER32(?), ref: 00CBD177
                • ClientToScreen.USER32(?,?), ref: 00CBD1DC
                • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00CBD1E9
                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CBD203
                • ReleaseCapture.USER32 ref: 00CBD20E
                • GetCursorPos.USER32(?), ref: 00CBD248
                • ScreenToClient.USER32(?,?), ref: 00CBD255
                • SendMessageW.USER32(?,00001012,00000000,?), ref: 00CBD2B1
                • SendMessageW.USER32 ref: 00CBD2DF
                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00CBD31C
                • SendMessageW.USER32 ref: 00CBD34B
                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CBD36C
                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00CBD37B
                • GetCursorPos.USER32(?), ref: 00CBD39B
                • ScreenToClient.USER32(?,?), ref: 00CBD3A8
                • GetParent.USER32(?), ref: 00CBD3C8
                • SendMessageW.USER32(?,00001012,00000000,?), ref: 00CBD431
                • SendMessageW.USER32 ref: 00CBD462
                • ClientToScreen.USER32(?,?), ref: 00CBD4C0
                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CBD4F0
                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00CBD51A
                • SendMessageW.USER32 ref: 00CBD53D
                • ClientToScreen.USER32(?,?), ref: 00CBD58F
                • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00CBD5C3
                  • Part of subcall function 00C325DB: GetWindowLongW.USER32(?,000000EB), ref: 00C325EC
                • GetWindowLongW.USER32(?,000000F0), ref: 00CBD65F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                • String ID: @GUI_DRAGID$F
                • API String ID: 3977979337-4164748364
                • Opcode ID: f1b54e4bd36af3bcc42eb284d4789ee2d0d724bcbd3b7f0093b03994bb54a88f
                • Instruction ID: 1e4b81c710171afa27f60a3fcdb6588a8e06556e8b493d6894c0159744cf377a
                • Opcode Fuzzy Hash: f1b54e4bd36af3bcc42eb284d4789ee2d0d724bcbd3b7f0093b03994bb54a88f
                • Instruction Fuzzy Hash: 2F42AC70204281EFDB25CF28C884BAEBBE5FF48314F14061DF6A6972A1D731E955DB92
                Function 00CB804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00CB873F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: %d/%02d/%02d
                • API String ID: 3850602802-328681919
                • Opcode ID: 872a80e49f5e265c83f03fe08686167c510c81dabf26184ed40508511ce367f3
                • Instruction ID: b4b7f15d6ea304c6dc28d50294c50c82a9b9ce541d818e7e5c0b70c3ff9d22eb
                • Opcode Fuzzy Hash: 872a80e49f5e265c83f03fe08686167c510c81dabf26184ed40508511ce367f3
                • Instruction Fuzzy Hash: 41129F71500208ABEB259F69CC49FEE7BB8EF45714F244229F915EB2E1DF709A49CB10
                Function 00C4710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _memmove$_memset
                • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                • API String ID: 1357608183-1798697756
                • Opcode ID: 20ecd32c3b28d3d94044ac7fbea55c62707f1ba9439bbcb0494c8ced10b0a605
                • Instruction ID: a0d25e48a64f65338af3ccff6b518c816eeb35ffff6ba9c90ee78ee73d3c9407
                • Opcode Fuzzy Hash: 20ecd32c3b28d3d94044ac7fbea55c62707f1ba9439bbcb0494c8ced10b0a605
                • Instruction Fuzzy Hash: AC93B071E0021ADFDB24DF98C885BADB7B1FF48714F25816AE955EB280E7709E81CB44
                Function 00C34A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32(00000000,?), ref: 00C34A3D
                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C6DA8E
                • IsIconic.USER32(?), ref: 00C6DA97
                • ShowWindow.USER32(?,00000009), ref: 00C6DAA4
                • SetForegroundWindow.USER32(?), ref: 00C6DAAE
                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C6DAC4
                • GetCurrentThreadId.KERNEL32 ref: 00C6DACB
                • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C6DAD7
                • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C6DAE8
                • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C6DAF0
                • AttachThreadInput.USER32(00000000,?,00000001), ref: 00C6DAF8
                • SetForegroundWindow.USER32(?), ref: 00C6DAFB
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C6DB10
                • keybd_event.USER32(00000012,00000000), ref: 00C6DB1B
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C6DB25
                • keybd_event.USER32(00000012,00000000), ref: 00C6DB2A
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C6DB33
                • keybd_event.USER32(00000012,00000000), ref: 00C6DB38
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C6DB42
                • keybd_event.USER32(00000012,00000000), ref: 00C6DB47
                • SetForegroundWindow.USER32(?), ref: 00C6DB4A
                • AttachThreadInput.USER32(?,?,00000000), ref: 00C6DB71
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                • String ID: Shell_TrayWnd
                • API String ID: 4125248594-2988720461
                • Opcode ID: 60c2ed0d1ca690e3f9b099b2bfa5a20b729d4fc688ea9364d28dc3dc1330e4a1
                • Instruction ID: cc9161ef3b7242a2ce64aa219294355e02f34e3c262193b75cdc1e1b855081e2
                • Opcode Fuzzy Hash: 60c2ed0d1ca690e3f9b099b2bfa5a20b729d4fc688ea9364d28dc3dc1330e4a1
                • Instruction Fuzzy Hash: E7317571F40318BBEB305FA59C89FBF3F6CEB44B50F114169FA05E62D1C6B05941AAA0
                Function 00C88858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C88CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C88D0D
                  • Part of subcall function 00C88CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C88D3A
                  • Part of subcall function 00C88CC3: GetLastError.KERNEL32 ref: 00C88D47
                • _memset.LIBCMT ref: 00C8889B
                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00C888ED
                • CloseHandle.KERNEL32(?), ref: 00C888FE
                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C88915
                • GetProcessWindowStation.USER32 ref: 00C8892E
                • SetProcessWindowStation.USER32(00000000), ref: 00C88938
                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C88952
                  • Part of subcall function 00C88713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C88851), ref: 00C88728
                  • Part of subcall function 00C88713: CloseHandle.KERNEL32(?,?,00C88851), ref: 00C8873A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                • String ID: $default$winsta0
                • API String ID: 2063423040-1027155976
                • Opcode ID: 61e2b64b9e4e7be7c54f8f4ed8329cf7fac31e9c461343994dd4ae7aa0a446f4
                • Instruction ID: 1b9cc87ffb12095d0b874b0932c83443c6a957e0e2ca7d80e3b6914dba490923
                • Opcode Fuzzy Hash: 61e2b64b9e4e7be7c54f8f4ed8329cf7fac31e9c461343994dd4ae7aa0a446f4
                • Instruction Fuzzy Hash: BF816471900209BFDF15EFA4DC45AEE7B78EF04308F58415AF920B66A1DB318E19EB64
                Function 00CA425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                Download Yara Rule
                APIs
                • OpenClipboard.USER32(00CBF910), ref: 00CA4284
                • IsClipboardFormatAvailable.USER32(0000000D), ref: 00CA4292
                • GetClipboardData.USER32(0000000D), ref: 00CA429A
                • CloseClipboard.USER32 ref: 00CA42A6
                • GlobalLock.KERNEL32(00000000), ref: 00CA42C2
                • CloseClipboard.USER32 ref: 00CA42CC
                • GlobalUnlock.KERNEL32(00000000), ref: 00CA42E1
                • IsClipboardFormatAvailable.USER32(00000001), ref: 00CA42EE
                • GetClipboardData.USER32(00000001), ref: 00CA42F6
                • GlobalLock.KERNEL32(00000000), ref: 00CA4303
                • GlobalUnlock.KERNEL32(00000000), ref: 00CA4337
                • CloseClipboard.USER32 ref: 00CA4447
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                • String ID:
                • API String ID: 3222323430-0
                • Opcode ID: b237d3eb3bab9ca19338260d3ccaa8d2d178d2d81b98e465af4ba823b8a25a84
                • Instruction ID: 579c96a15003055b23ce041cbe9bcda981756eb86d104602f57059bfe36b3ca4
                • Opcode Fuzzy Hash: b237d3eb3bab9ca19338260d3ccaa8d2d178d2d81b98e465af4ba823b8a25a84
                • Instruction Fuzzy Hash: 9451C075204302AFD714EF64EC86F7E77A8AF85B04F00462DF956D22A1DBB0D9069B62
                Function 00C9C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?), ref: 00C9C9F8
                • FindClose.KERNEL32(00000000), ref: 00C9CA4C
                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C9CA71
                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C9CA88
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C9CAAF
                • __swprintf.LIBCMT ref: 00C9CAFB
                • __swprintf.LIBCMT ref: 00C9CB3E
                  • Part of subcall function 00C37F41: _memmove.LIBCMT ref: 00C37F82
                • __swprintf.LIBCMT ref: 00C9CB92
                  • Part of subcall function 00C538D8: __woutput_l.LIBCMT ref: 00C53931
                • __swprintf.LIBCMT ref: 00C9CBE0
                  • Part of subcall function 00C538D8: __flsbuf.LIBCMT ref: 00C53953
                  • Part of subcall function 00C538D8: __flsbuf.LIBCMT ref: 00C5396B
                • __swprintf.LIBCMT ref: 00C9CC2F
                • __swprintf.LIBCMT ref: 00C9CC7E
                • __swprintf.LIBCMT ref: 00C9CCCD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                • API String ID: 3953360268-2428617273
                • Opcode ID: 98db6c1b294fbe466ca9cd6990b06dc6be591899d0a7da9c7068575e1aeb7aed
                • Instruction ID: 44d64b5c333a3f545cde8dbec2baf17ea6cc9ac8e67e63abf3e3947c1aa580d0
                • Opcode Fuzzy Hash: 98db6c1b294fbe466ca9cd6990b06dc6be591899d0a7da9c7068575e1aeb7aed
                • Instruction Fuzzy Hash: 51A130B2418344ABC714EB64CD85DAFB7ECFF98700F404929F596C3191EA74DA09EB62
                Function 00C9F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00C9F221
                • _wcscmp.LIBCMT ref: 00C9F236
                • _wcscmp.LIBCMT ref: 00C9F24D
                • GetFileAttributesW.KERNEL32(?), ref: 00C9F25F
                • SetFileAttributesW.KERNEL32(?,?), ref: 00C9F279
                • FindNextFileW.KERNEL32(00000000,?), ref: 00C9F291
                • FindClose.KERNEL32(00000000), ref: 00C9F29C
                • FindFirstFileW.KERNEL32(*.*,?), ref: 00C9F2B8
                • _wcscmp.LIBCMT ref: 00C9F2DF
                • _wcscmp.LIBCMT ref: 00C9F2F6
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C9F308
                • SetCurrentDirectoryW.KERNEL32(00CEA5A0), ref: 00C9F326
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C9F330
                • FindClose.KERNEL32(00000000), ref: 00C9F33D
                • FindClose.KERNEL32(00000000), ref: 00C9F34F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                • String ID: *.*
                • API String ID: 1803514871-438819550
                • Opcode ID: ae1a0fe6755e3238a1cb817e91845e795c5f4825e01fa26f02548325542877d6
                • Instruction ID: 5fc7507229a929c8a4f19869b914b26cc9abfaa7eb16d133ca163003470474ee
                • Opcode Fuzzy Hash: ae1a0fe6755e3238a1cb817e91845e795c5f4825e01fa26f02548325542877d6
                • Instruction Fuzzy Hash: 8F31B2765016596ADF10DBB4DC4CBEE73ACAF08361F140279E914D31A0EB74DB868A64
                Function 00CB0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                Download Yara Rule
                APIs
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CB0BDE
                • RegCreateKeyExW.ADVAPI32(?,?,00000000,00CBF910,00000000,?,00000000,?,?), ref: 00CB0C4C
                • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00CB0C94
                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00CB0D1D
                • RegCloseKey.ADVAPI32(?), ref: 00CB103D
                • RegCloseKey.ADVAPI32(00000000), ref: 00CB104A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Close$ConnectCreateRegistryValue
                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                • API String ID: 536824911-966354055
                • Opcode ID: c75636a015c1df46ce8f2ca98d925b37ef9859ebb84eaf89d3d459da69873e53
                • Instruction ID: e2e57711abb930462cca628938f294cf4ed3cd774df82c313076d16a44544bb2
                • Opcode Fuzzy Hash: c75636a015c1df46ce8f2ca98d925b37ef9859ebb84eaf89d3d459da69873e53
                • Instruction Fuzzy Hash: 54028B752006419FCB14EF29C891E6AB7E5FF89710F04895DF89A9B3A2CB70ED41DB81
                Function 00C9F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00C9F37E
                • _wcscmp.LIBCMT ref: 00C9F393
                • _wcscmp.LIBCMT ref: 00C9F3AA
                  • Part of subcall function 00C945C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C945DC
                • FindNextFileW.KERNEL32(00000000,?), ref: 00C9F3D9
                • FindClose.KERNEL32(00000000), ref: 00C9F3E4
                • FindFirstFileW.KERNEL32(*.*,?), ref: 00C9F400
                • _wcscmp.LIBCMT ref: 00C9F427
                • _wcscmp.LIBCMT ref: 00C9F43E
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C9F450
                • SetCurrentDirectoryW.KERNEL32(00CEA5A0), ref: 00C9F46E
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C9F478
                • FindClose.KERNEL32(00000000), ref: 00C9F485
                • FindClose.KERNEL32(00000000), ref: 00C9F497
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                • String ID: *.*
                • API String ID: 1824444939-438819550
                • Opcode ID: de2a7f7a27faadb93fc78371e999aa062ed0358c56bc35fec3dd2219774389ec
                • Instruction ID: 6dbe0a8d3df4030c14ad43593593842d9c7c47443c9944369af248cad98f004e
                • Opcode Fuzzy Hash: de2a7f7a27faadb93fc78371e999aa062ed0358c56bc35fec3dd2219774389ec
                • Instruction Fuzzy Hash: F431C2755012196FCF109BA4EC88BEE77AC9F09365F1402B9E824E21A0DB34DB86DB64
                Function 00C881F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C8874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C88766
                  • Part of subcall function 00C8874A: GetLastError.KERNEL32(?,00C8822A,?,?,?), ref: 00C88770
                  • Part of subcall function 00C8874A: GetProcessHeap.KERNEL32(00000008,?,?,00C8822A,?,?,?), ref: 00C8877F
                  • Part of subcall function 00C8874A: HeapAlloc.KERNEL32(00000000,?,00C8822A,?,?,?), ref: 00C88786
                  • Part of subcall function 00C8874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C8879D
                  • Part of subcall function 00C887E7: GetProcessHeap.KERNEL32(00000008,00C88240,00000000,00000000,?,00C88240,?), ref: 00C887F3
                  • Part of subcall function 00C887E7: HeapAlloc.KERNEL32(00000000,?,00C88240,?), ref: 00C887FA
                  • Part of subcall function 00C887E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C88240,?), ref: 00C8880B
                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C8825B
                • _memset.LIBCMT ref: 00C88270
                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C8828F
                • GetLengthSid.ADVAPI32(?), ref: 00C882A0
                • GetAce.ADVAPI32(?,00000000,?), ref: 00C882DD
                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C882F9
                • GetLengthSid.ADVAPI32(?), ref: 00C88316
                • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C88325
                • HeapAlloc.KERNEL32(00000000), ref: 00C8832C
                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C8834D
                • CopySid.ADVAPI32(00000000), ref: 00C88354
                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C88385
                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C883AB
                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C883BF
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                • String ID:
                • API String ID: 3996160137-0
                • Opcode ID: b746d6dfe4a1a0220efb121974ef0759068cfe087ba9ade6ec50c6bdecf1ea26
                • Instruction ID: 6743a1c1785e4c97599ef3b549ba7f1a37f3bb2535c61a5411f42ed0c175d917
                • Opcode Fuzzy Hash: b746d6dfe4a1a0220efb121974ef0759068cfe087ba9ade6ec50c6bdecf1ea26
                • Instruction Fuzzy Hash: 84614E7190020ABFDF00EF94DD44AEEBB79FF04704F548269F825A72A1DB319A09DB64
                Function 00C46843 Relevance: 19.6, Strings: 15, Instructions: 883COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID:
                • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$xlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxls5opxls5opxls8
                • API String ID: 0-272045060
                • Opcode ID: 89e49fbb381c0bcbb9a0da515cbf39a985dbc9d59c84b2a87d747dbdf0d41db5
                • Instruction ID: 9ab0f6a63766809eb16e57f43788e6e107ca3dea86dffabb7b508eff0d749a5d
                • Opcode Fuzzy Hash: 89e49fbb381c0bcbb9a0da515cbf39a985dbc9d59c84b2a87d747dbdf0d41db5
                • Instruction Fuzzy Hash: BB72A071E002198BDF24DF59C8807AEB7F5FF48314F18816AE859EB284E7309E81DB95
                Function 00CB0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00CB10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CB0038,?,?), ref: 00CB10BC
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CB0737
                  • Part of subcall function 00C39997: __itow.LIBCMT ref: 00C399C2
                  • Part of subcall function 00C39997: __swprintf.LIBCMT ref: 00C39A0C
                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CB07D6
                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CB086E
                • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00CB0AAD
                • RegCloseKey.ADVAPI32(00000000), ref: 00CB0ABA
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                • String ID:
                • API String ID: 1240663315-0
                • Opcode ID: acb9d8131c6197f5ab6a1b94101bd1a8da85b5a03ad4bd8e8644e6a670ded225
                • Instruction ID: f272d660a1fbb1747014299712d9eaa15fba0ddebf7617d1bc9f7ceb6302d74f
                • Opcode Fuzzy Hash: acb9d8131c6197f5ab6a1b94101bd1a8da85b5a03ad4bd8e8644e6a670ded225
                • Instruction Fuzzy Hash: C9E14B71204310AFCB14DF29C891E6BBBE4FF89714F14896DF85ADB2A2DA30E905DB51
                Function 00C90219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?), ref: 00C90241
                • GetAsyncKeyState.USER32(000000A0), ref: 00C902C2
                • GetKeyState.USER32(000000A0), ref: 00C902DD
                • GetAsyncKeyState.USER32(000000A1), ref: 00C902F7
                • GetKeyState.USER32(000000A1), ref: 00C9030C
                • GetAsyncKeyState.USER32(00000011), ref: 00C90324
                • GetKeyState.USER32(00000011), ref: 00C90336
                • GetAsyncKeyState.USER32(00000012), ref: 00C9034E
                • GetKeyState.USER32(00000012), ref: 00C90360
                • GetAsyncKeyState.USER32(0000005B), ref: 00C90378
                • GetKeyState.USER32(0000005B), ref: 00C9038A
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: State$Async$Keyboard
                • String ID:
                • API String ID: 541375521-0
                • Opcode ID: b470e881f8804469b2c59fedcab55e559465cb9508bbc350b8512b8b27488503
                • Instruction ID: 357ead617cb7c5ebfda3b705a5ca78442c046e5a3e321ea9b94e588c67742bc8
                • Opcode Fuzzy Hash: b470e881f8804469b2c59fedcab55e559465cb9508bbc350b8512b8b27488503
                • Instruction Fuzzy Hash: FB41CC34504BC96EFF319B64880C3B9BEA07F12340F68819ED5D6462D2E7D45BC8C7A2
                Function 00CA86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C39997: __itow.LIBCMT ref: 00C399C2
                  • Part of subcall function 00C39997: __swprintf.LIBCMT ref: 00C39A0C
                • CoInitialize.OLE32 ref: 00CA8718
                • CoUninitialize.OLE32 ref: 00CA8723
                • CoCreateInstance.OLE32(?,00000000,00000017,00CC2BEC,?), ref: 00CA8783
                • IIDFromString.OLE32(?,?), ref: 00CA87F6
                • VariantInit.OLEAUT32(?), ref: 00CA8890
                • VariantClear.OLEAUT32(?), ref: 00CA88F1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                • API String ID: 834269672-1287834457
                • Opcode ID: 7b9bafbe639e4670d9953e32a338b56182ef14955ef09155ba6ecfb1f73da659
                • Instruction ID: b52d4da2af3fc7f74bd5bccff03c310a61905b700bd7240b755f422eba1466ba
                • Opcode Fuzzy Hash: 7b9bafbe639e4670d9953e32a338b56182ef14955ef09155ba6ecfb1f73da659
                • Instruction Fuzzy Hash: DD61BC706083029FC710DF25C889B6EBBE4EF4A718F10091DF8959B291DB74EE48CB92
                Function 00CA4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                • String ID:
                • API String ID: 1737998785-0
                • Opcode ID: b1719f3a96935df9526fb2ed07a33c232ef3c3e2c66a02533c447541da896ce2
                • Instruction ID: 473cedc2fbdde2098787cb6d02939bf4b940e1226f646989b086a0647812075b
                • Opcode Fuzzy Hash: b1719f3a96935df9526fb2ed07a33c232ef3c3e2c66a02533c447541da896ce2
                • Instruction Fuzzy Hash: F321C4353002219FDB14AF64EC19B6D77A8EF44715F10812AF946DB3B1CBB0AD02EB55
                Function 00C93A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C348AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C348A1,?,?,00C337C0,?), ref: 00C348CE
                  • Part of subcall function 00C94CD3: GetFileAttributesW.KERNEL32(?,00C93947), ref: 00C94CD4
                • FindFirstFileW.KERNEL32(?,?), ref: 00C93ADF
                • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00C93B87
                • MoveFileW.KERNEL32(?,?), ref: 00C93B9A
                • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00C93BB7
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C93BD9
                • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00C93BF5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                • String ID: \*.*
                • API String ID: 4002782344-1173974218
                • Opcode ID: 2d58806b53afccba6a7193a959ddfa442aa50fbcb51671188cc6d788aad8c8c3
                • Instruction ID: 70e2d121e5b636809493ab5f75d2fb0dd3f5ba842cf70ac2e15f70753df60dfb
                • Opcode Fuzzy Hash: 2d58806b53afccba6a7193a959ddfa442aa50fbcb51671188cc6d788aad8c8c3
                • Instruction Fuzzy Hash: 14518F718012899BCF15EBA0CD969FDB7B9AF14300F2442A9E41277191EF306F09EBA0
                Function 00C44140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID:
                • String ID: ERCP$VUUU$VUUU$VUUU$VUUU$xlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxlscopxls5opxls5opxls8
                • API String ID: 0-467701368
                • Opcode ID: 56475d1e5a16a385336afcb230f0fd3fe7c2e66b6794aff94c5a95d37222cef4
                • Instruction ID: 7be2cf0837de55325aadd757869cbf6a48b2319b2360f5c3c9ad6a922de93b05
                • Opcode Fuzzy Hash: 56475d1e5a16a385336afcb230f0fd3fe7c2e66b6794aff94c5a95d37222cef4
                • Instruction Fuzzy Hash: 53A28170E0421ACBDF28CF59C9847ADB7B1BF54314F24C2AAE969A7280D7309E85DF50
                Function 00C9F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C37F41: _memmove.LIBCMT ref: 00C37F82
                • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00C9F6AB
                • Sleep.KERNEL32(0000000A), ref: 00C9F6DB
                • _wcscmp.LIBCMT ref: 00C9F6EF
                • _wcscmp.LIBCMT ref: 00C9F70A
                • FindNextFileW.KERNEL32(?,?), ref: 00C9F7A8
                • FindClose.KERNEL32(00000000), ref: 00C9F7BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                • String ID: *.*
                • API String ID: 713712311-438819550
                • Opcode ID: 0b2399caa6463732468ae014884b898834d17b612c716a4e9eecfc15baa0df85
                • Instruction ID: d0b441280691e77ec676c9167b8b781cffc15fb160f06b85816fb1f50709efbd
                • Opcode Fuzzy Hash: 0b2399caa6463732468ae014884b898834d17b612c716a4e9eecfc15baa0df85
                • Instruction Fuzzy Hash: CD414F7590021A9FDF15DFA4CC89AEEBBB4FF05310F14456AE825E22A1DB309E85DB90
                Function 00C458C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _memmove
                • String ID:
                • API String ID: 4104443479-0
                • Opcode ID: 849666e553456e2a02cf28896589b9aec3f4c9e556f52e8bc5e40595b5f9573b
                • Instruction ID: 51ea2f8dd4f944fb1340918fa167677ebfd30cf8a11edcaa10614ab4d537901b
                • Opcode Fuzzy Hash: 849666e553456e2a02cf28896589b9aec3f4c9e556f52e8bc5e40595b5f9573b
                • Instruction Fuzzy Hash: 01129B70A00609EFDF14DFA5D981AEEB3F5FF48300F204229E816A7291EB35AE55DB54
                Function 00C9545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C88CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C88D0D
                  • Part of subcall function 00C88CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C88D3A
                  • Part of subcall function 00C88CC3: GetLastError.KERNEL32 ref: 00C88D47
                • ExitWindowsEx.USER32(?,00000000), ref: 00C9549B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                • String ID: $@$SeShutdownPrivilege
                • API String ID: 2234035333-194228
                • Opcode ID: 12c3b76122c78ce65b0119b4dde153f65f3e7b8fadc659a55461f0fa0c40b865
                • Instruction ID: dbfbd8bcbc80c5348309a95a83665ab0039d736d27ff97f490c0851973ccc96b
                • Opcode Fuzzy Hash: 12c3b76122c78ce65b0119b4dde153f65f3e7b8fadc659a55461f0fa0c40b865
                • Instruction Fuzzy Hash: A0014731654A012AEFB96278EC4EBBA7258EB04343F200135FD16E21D2DA505C8083D0
                Function 00CA6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                Download Yara Rule
                APIs
                • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00CA65EF
                • WSAGetLastError.WSOCK32(00000000), ref: 00CA65FE
                • bind.WSOCK32(00000000,?,00000010), ref: 00CA661A
                • listen.WSOCK32(00000000,00000005), ref: 00CA6629
                • WSAGetLastError.WSOCK32(00000000), ref: 00CA6643
                • closesocket.WSOCK32(00000000,00000000), ref: 00CA6657
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ErrorLast$bindclosesocketlistensocket
                • String ID:
                • API String ID: 1279440585-0
                • Opcode ID: db36dd9b2a29c5ebc8bbd89a4ae90250aa0915e0ead962cda935339f14377570
                • Instruction ID: f1c409a85b66cbc25843b741ed74ed31082375cdf7345bb64e5660930fec93c6
                • Opcode Fuzzy Hash: db36dd9b2a29c5ebc8bbd89a4ae90250aa0915e0ead962cda935339f14377570
                • Instruction Fuzzy Hash: 4C21B1346002059FCB10EF64DC49B6EB7A9EF46724F148269F96AE73D1CB70AD01EB51
                Function 00C45680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C50FF6: std::exception::exception.LIBCMT ref: 00C5102C
                  • Part of subcall function 00C50FF6: __CxxThrowException@8.LIBCMT ref: 00C51041
                • _memmove.LIBCMT ref: 00C8062F
                • _memmove.LIBCMT ref: 00C80744
                • _memmove.LIBCMT ref: 00C807EB
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _memmove$Exception@8Throwstd::exception::exception
                • String ID:
                • API String ID: 1300846289-0
                • Opcode ID: 68f8b712599e38ffdb741c463c78a699f38f08012c55340659d1ac1fc812435b
                • Instruction ID: 69eb2d8256c13a564567895cf84b44b2508c6f694369ffab20d5cb8d5f7b96f8
                • Opcode Fuzzy Hash: 68f8b712599e38ffdb741c463c78a699f38f08012c55340659d1ac1fc812435b
                • Instruction Fuzzy Hash: 080290B0E00209DBDF04DF64D981AAEBBB5FF84304F248069E806DB295EB31DA55DB95
                Function 00C31287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C32612: GetWindowLongW.USER32(?,000000EB), ref: 00C32623
                • DefDlgProcW.USER32(?,?,?,?,?), ref: 00C319FA
                • GetSysColor.USER32(0000000F), ref: 00C31A4E
                • SetBkColor.GDI32(?,00000000), ref: 00C31A61
                  • Part of subcall function 00C31290: DefDlgProcW.USER32(?,00000020,?), ref: 00C312D8
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ColorProc$LongWindow
                • String ID:
                • API String ID: 3744519093-0
                • Opcode ID: aab01c3c68b6aa6e17a269fd0b338b8f7f066963ab7703c0655a0fbe4245e968
                • Instruction ID: eebddd5c0cd0fa003cf43cfade1c85c8eb32cba56da80b4b43656315cc9dbbee
                • Opcode Fuzzy Hash: aab01c3c68b6aa6e17a269fd0b338b8f7f066963ab7703c0655a0fbe4245e968
                • Instruction Fuzzy Hash: FBA12871125544BFDA38AB2A8C95EFF259CDB41387F1C011AFC22D6192CA149F41F2B6
                Function 00CA6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00CA80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00CA80CB
                • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00CA6AB1
                • WSAGetLastError.WSOCK32(00000000), ref: 00CA6ADA
                • bind.WSOCK32(00000000,?,00000010), ref: 00CA6B13
                • WSAGetLastError.WSOCK32(00000000), ref: 00CA6B20
                • closesocket.WSOCK32(00000000,00000000), ref: 00CA6B34
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ErrorLast$bindclosesocketinet_addrsocket
                • String ID:
                • API String ID: 99427753-0
                • Opcode ID: 0f72f4bec0aab93a09e682b47e51fbc6b7eb8150f0f36faefca744fcfee69bd8
                • Instruction ID: 316c5347fd06730238d8e8ce5226a67e54d0565487a8172f3e8aca8cf878c29b
                • Opcode Fuzzy Hash: 0f72f4bec0aab93a09e682b47e51fbc6b7eb8150f0f36faefca744fcfee69bd8
                • Instruction Fuzzy Hash: F541D375B10314AFEB10AF24DC86F6E77A8DB09714F04815CF95AAB3D2CBB49D01AB91
                Function 00CB55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                • String ID:
                • API String ID: 292994002-0
                • Opcode ID: bd0d2dbb5bb5633c17f1be6dbacb1119f95c39f69a53f590980d33e4062d9f08
                • Instruction ID: 793636963319592a6f0633b0bac6af4c6a704262d0007c143c21e16dba8513cf
                • Opcode Fuzzy Hash: bd0d2dbb5bb5633c17f1be6dbacb1119f95c39f69a53f590980d33e4062d9f08
                • Instruction Fuzzy Hash: 0211C131700A106FE7212F26DC44BAFBB98EF44721F844129F856D7341CB70DE029AA5
                Function 00CAC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,?,00C71D88,?), ref: 00CAC312
                • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00CAC324
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: GetSystemWow64DirectoryW$kernel32.dll
                • API String ID: 2574300362-1816364905
                • Opcode ID: dc719defe8d102487e35093129c9ef90fb7a2bedc5950b8441b8c9442e767d26
                • Instruction ID: 70486454a8385512d57d79186ba11771ec1009938fc121bb7f3c09bb29bcb973
                • Opcode Fuzzy Hash: dc719defe8d102487e35093129c9ef90fb7a2bedc5950b8441b8c9442e767d26
                • Instruction Fuzzy Hash: 9AE08CB0201303CFCF204B29CC84B8A76D8EB19318F80C83DE8A6D6320E770D882CA60
                Function 00C43190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: __itow__swprintf
                • String ID:
                • API String ID: 674341424-0
                • Opcode ID: fca710b7b95b1c088e3d1706478bdf158955677f3c654a26154520a0682b79ca
                • Instruction ID: f84166459289e400c22cf8028e59e20bf9b32b8ccd395f3475c6699f895eeef3
                • Opcode Fuzzy Hash: fca710b7b95b1c088e3d1706478bdf158955677f3c654a26154520a0682b79ca
                • Instruction Fuzzy Hash: 13229B716083419FC724DF24C881BAFB7E4BF84704F108A1DF89A97292DB70EA45DB92
                Function 00CAF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                Download Yara Rule
                APIs
                • CreateToolhelp32Snapshot.KERNEL32 ref: 00CAF151
                • Process32FirstW.KERNEL32(00000000,?), ref: 00CAF15F
                  • Part of subcall function 00C37F41: _memmove.LIBCMT ref: 00C37F82
                • Process32NextW.KERNEL32(00000000,?), ref: 00CAF21F
                • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00CAF22E
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                • String ID:
                • API String ID: 2576544623-0
                • Opcode ID: 9dde1f6ef2490d1c0dd6b12d362a0955fde3404f35ed3bd2e2b3b28e4add6336
                • Instruction ID: 5b69056af04f2c31c22e054179683401c76aae51fa39ead25e17d4c5282eee7c
                • Opcode Fuzzy Hash: 9dde1f6ef2490d1c0dd6b12d362a0955fde3404f35ed3bd2e2b3b28e4add6336
                • Instruction Fuzzy Hash: DC518CB1514301AFD320EF24DC85B6FB7E8EF89704F10492DF495972A1EB70AA09DB92
                Function 00C940B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00C940D1
                • _memset.LIBCMT ref: 00C940F2
                • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00C94144
                • CloseHandle.KERNEL32(00000000), ref: 00C9414D
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CloseControlCreateDeviceFileHandle_memset
                • String ID:
                • API String ID: 1157408455-0
                • Opcode ID: c99b3c6e85b7dac938b49a5bd452d89cf5d53c284f5694569b9dc1f0d944732c
                • Instruction ID: 78d256ca457109db94a940498542eff730c7371d91d7b25838abe7607e29cc6f
                • Opcode Fuzzy Hash: c99b3c6e85b7dac938b49a5bd452d89cf5d53c284f5694569b9dc1f0d944732c
                • Instruction Fuzzy Hash: E111EB759013287ADB305BA59C4DFAFBB7CEF44760F10429AF908D7280D6744F818BA4
                Function 00C8EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                Download Yara Rule
                APIs
                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C8EB19
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: lstrlen
                • String ID: ($|
                • API String ID: 1659193697-1631851259
                • Opcode ID: d1a85961072875154e89c955f51aa67b418888ed09b3b8d5b61ce466b5fbf20f
                • Instruction ID: 58f796da36bc97d42878c12f4d3e132b2d68f4d54b2211aeb40a0f1659082474
                • Opcode Fuzzy Hash: d1a85961072875154e89c955f51aa67b418888ed09b3b8d5b61ce466b5fbf20f
                • Instruction Fuzzy Hash: 14324775A007059FCB28DF59C481A6AB7F0FF48314B11C56EE8AADB3A1E770E941CB48
                Function 00CA25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                Download Yara Rule
                APIs
                • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00CA1AFE,00000000), ref: 00CA26D5
                • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00CA270C
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Internet$AvailableDataFileQueryRead
                • String ID:
                • API String ID: 599397726-0
                • Opcode ID: eec667c6e0e8accaf6f3e6a8e20ec7b06b9b6f826f0d2ef9e966fdd921289c23
                • Instruction ID: 0d3986aeeef7551e0f5c3e483047a245adc9fcae5908177b9f1a59931d681cb4
                • Opcode Fuzzy Hash: eec667c6e0e8accaf6f3e6a8e20ec7b06b9b6f826f0d2ef9e966fdd921289c23
                • Instruction Fuzzy Hash: CF41E77590021ABFEB20DE99CC85FBBB7BCEB4171CF10406AFA11E6140EA719F85A654
                Function 00C9B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 00C9B5AE
                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C9B608
                • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00C9B655
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ErrorMode$DiskFreeSpace
                • String ID:
                • API String ID: 1682464887-0
                • Opcode ID: 58173d073e3cbea126934a71d730ef4eeb7e5dd450f1a7df70225fdb34d45a1d
                • Instruction ID: 46e709ff7022b70c5c78ebfa0dd44c53d686a4d9b3f7730f2f5e8144e740c719
                • Opcode Fuzzy Hash: 58173d073e3cbea126934a71d730ef4eeb7e5dd450f1a7df70225fdb34d45a1d
                • Instruction Fuzzy Hash: ED216035A10118EFCB00EFA5DC84FADBBB8FF48314F1481A9E845AB351DB31A916DB51
                Function 00C88CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C50FF6: std::exception::exception.LIBCMT ref: 00C5102C
                  • Part of subcall function 00C50FF6: __CxxThrowException@8.LIBCMT ref: 00C51041
                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C88D0D
                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C88D3A
                • GetLastError.KERNEL32 ref: 00C88D47
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                • String ID:
                • API String ID: 1922334811-0
                • Opcode ID: 374e828bb907b927ac419243ba5c7c3e449696142dcb428aa842c80f40018105
                • Instruction ID: 5c69de351a5d68b5bf35cf3ed7f97bf44c1c40a9559c994c0f9dee99ceaa1049
                • Opcode Fuzzy Hash: 374e828bb907b927ac419243ba5c7c3e449696142dcb428aa842c80f40018105
                • Instruction Fuzzy Hash: 7F11BFB1414209AFD728AF58EC85E6BB7B8EB44715B20862EF85683651EB70BC458B24
                Function 00C94C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                Download Yara Rule
                APIs
                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C94C2C
                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C94C43
                • FreeSid.ADVAPI32(?), ref: 00C94C53
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: AllocateCheckFreeInitializeMembershipToken
                • String ID:
                • API String ID: 3429775523-0
                • Opcode ID: 69bdf23f6eca150740eb74f439d2c8c27b0788038865bdc25a960d16a2ea878b
                • Instruction ID: 00e95f7b7cf37c7897065822789bc0975b9d3527fe79a8537ba9f7a1466f7b22
                • Opcode Fuzzy Hash: 69bdf23f6eca150740eb74f439d2c8c27b0788038865bdc25a960d16a2ea878b
                • Instruction Fuzzy Hash: 00F04975A1130CBFDF04DFF0EC89BAEBBBCEF08201F0045A9A901E2291E7706A048B50
                Function 00C3E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f2580d303800ff4bc63aa926f4fbe4a9ee456a9173a573337ba84d51918b3625
                • Instruction ID: c0f76d7aa157068f631421fba4384e81ae68009a91008bf3e996214d2659aa47
                • Opcode Fuzzy Hash: f2580d303800ff4bc63aa926f4fbe4a9ee456a9173a573337ba84d51918b3625
                • Instruction Fuzzy Hash: 7822BD74A1021ACFDB24DF54C484BAEB7F0FF48300F148569E866AB391E735AE85DB91
                Function 00C9C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?), ref: 00C9C966
                • FindClose.KERNEL32(00000000), ref: 00C9C996
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Find$CloseFileFirst
                • String ID:
                • API String ID: 2295610775-0
                • Opcode ID: d176688d0bce2d2cec3187c7087962c5722c01c380bb270f116fc4e586e491eb
                • Instruction ID: a2b8a2b50331f9897eb134a21f2df8d522d1bbd78192ebbd14e45b5e13c065ec
                • Opcode Fuzzy Hash: d176688d0bce2d2cec3187c7087962c5722c01c380bb270f116fc4e586e491eb
                • Instruction Fuzzy Hash: 6911A5316102009FDB10EF29C845A2AF7E9FF44324F00861EF8A9D7391DB70AC01DB81
                Function 00C9A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00CA977D,?,00CBFB84,?), ref: 00C9A302
                • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00CA977D,?,00CBFB84,?), ref: 00C9A314
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ErrorFormatLastMessage
                • String ID:
                • API String ID: 3479602957-0
                • Opcode ID: ff8918c7acc72591bede9695506c07c92b1775502a96d67c7b0856f214ffd059
                • Instruction ID: c81a24cfaa03b23ca00c5b8da72641f704330ec2e2bc9e918517c8ee711276f3
                • Opcode Fuzzy Hash: ff8918c7acc72591bede9695506c07c92b1775502a96d67c7b0856f214ffd059
                • Instruction Fuzzy Hash: 7CF0823554422DEBDB20AFA5CC48FEA776DBF09761F004269F918D7291D6309940CBE1
                Function 00C88713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                Download Yara Rule
                APIs
                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C88851), ref: 00C88728
                • CloseHandle.KERNEL32(?,?,00C88851), ref: 00C8873A
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: AdjustCloseHandlePrivilegesToken
                • String ID:
                • API String ID: 81990902-0
                • Opcode ID: 0576bcc3e744df1dba7fd1ec57cf3b56fc6e02a2d8dc2333252411953bde7ebe
                • Instruction ID: a562dd8b733d0a5cbeb2e8fdf9e7e2ad8aa1f588588b60d97ee1d39bea501b74
                • Opcode Fuzzy Hash: 0576bcc3e744df1dba7fd1ec57cf3b56fc6e02a2d8dc2333252411953bde7ebe
                • Instruction Fuzzy Hash: 01E04636000600EEE7222B20EC08F777BE9EB04365B28892DB89680470CB62ACD1EB10
                Function 00C5A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00C58F97,?,?,?,00000001), ref: 00C5A39A
                • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00C5A3A3
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: d59ff0fd59d1a1f2404f5d96c5cd23fd570f1fb72d4d9848332a46075d828989
                • Instruction ID: 3d5fc2f4ec09efc74a117f9458b0f7621679fb740cd9cc68bec1c050a9cc7d25
                • Opcode Fuzzy Hash: d59ff0fd59d1a1f2404f5d96c5cd23fd570f1fb72d4d9848332a46075d828989
                • Instruction Fuzzy Hash: 88B09231054208ABCA002B91EC09B8C3FA8EB44AA2F408124F60E84270CB6254528A91
                Function 00C3E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                Download Yara Rule
                Strings
                • Variable must be of type 'Object'., xrefs: 00C7428C
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID:
                • String ID: Variable must be of type 'Object'.
                • API String ID: 0-109567571
                • Opcode ID: db25775d0244369cd1108b38fb91b2a318ba4d3f065951a6cc6fcee55758f2cc
                • Instruction ID: a86ccd72db976da551c10d3d1c9e280402ebf800fd75b5d739a5bdc9fe685f3a
                • Opcode Fuzzy Hash: db25775d0244369cd1108b38fb91b2a318ba4d3f065951a6cc6fcee55758f2cc
                • Instruction Fuzzy Hash: 64A27C74E14205CFCB24CF58C480AAEB7B1FF48314F248569E92AAB391D775ED82DB91
                Function 00C5F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0580c3e7b3b1830ab796ade5f5b062ba9c22022d1865ccd0a6cb28f231b22b0b
                • Instruction ID: 24d3b4b973eb921319c08e95fdd49403b19959c0e6d4f90f5a877db6c422d14e
                • Opcode Fuzzy Hash: 0580c3e7b3b1830ab796ade5f5b062ba9c22022d1865ccd0a6cb28f231b22b0b
                • Instruction Fuzzy Hash: D6321325D69F014ED7279634D832339A248EFB73C5F14D73BEC2AB59A6EB2889C30104
                Function 00C6267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 130770eb916054356e57c35df6690bbcf8c1179922303cfa47196f3a94f7cd93
                • Instruction ID: fcf8b6674683a60677c1e123ad1c2f361e18aa2515f2d013d7f4e3f94d44b847
                • Opcode Fuzzy Hash: 130770eb916054356e57c35df6690bbcf8c1179922303cfa47196f3a94f7cd93
                • Instruction Fuzzy Hash: E2B1F020D2AF454DD7239639C87933ABA4CAFBB2C9F55E71BFC2674D22EB2185834141
                Function 00C98B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                Download Yara Rule
                APIs
                • __time64.LIBCMT ref: 00C98B25
                  • Part of subcall function 00C5543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00C991F8,00000000,?,?,?,?,00C993A9,00000000,?), ref: 00C55443
                  • Part of subcall function 00C5543A: __aulldiv.LIBCMT ref: 00C55463
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Time$FileSystem__aulldiv__time64
                • String ID:
                • API String ID: 2893107130-0
                • Opcode ID: e75f3a5d0bf93c293f789715a7043e0ca0e528e93660779f9310a44f2f560443
                • Instruction ID: b82167b4f09223cb7d193a083dcd0cb30147dd87033dcfe776f1b6172e7750ad
                • Opcode Fuzzy Hash: e75f3a5d0bf93c293f789715a7043e0ca0e528e93660779f9310a44f2f560443
                • Instruction Fuzzy Hash: 4D21E4726355108FC729CF25D841B66B3E1EBA5311B288F6CD1F5CB2D0CA74B949CB94
                Function 00CA41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                Download Yara Rule
                APIs
                • BlockInput.USER32(00000001), ref: 00CA4218
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: BlockInput
                • String ID:
                • API String ID: 3456056419-0
                • Opcode ID: 860165119f6383c3f568ff74aba8039f39320d52f130af1bcb87cd9cf5a17af0
                • Instruction ID: 76af243b73c56aea2779dc02d16c5e32ce5edb64e5f6580d8edea0107788b36f
                • Opcode Fuzzy Hash: 860165119f6383c3f568ff74aba8039f39320d52f130af1bcb87cd9cf5a17af0
                • Instruction Fuzzy Hash: B7E04F352502159FC710EF5AE845B9AF7E8EF95760F00812AFD4AC7352DAB0EC419BA1
                Function 00C94EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                Download Yara Rule
                APIs
                • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00C94EEC
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: mouse_event
                • String ID:
                • API String ID: 2434400541-0
                • Opcode ID: 2ac605a113288315a8da68d39776f4a33428397b8cd5cf59fe0e8f3beced37e8
                • Instruction ID: 858b268f486638707ffec9d0461d3eca270925e4064b65c6954cf511679e7ba1
                • Opcode Fuzzy Hash: 2ac605a113288315a8da68d39776f4a33428397b8cd5cf59fe0e8f3beced37e8
                • Instruction Fuzzy Hash: 3ED052A81606087BEC2C8B209C5FFBBB208F300786FD0828AB112890C2E8D06E57A030
                Function 00C88C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00C888D1), ref: 00C88CB3
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: LogonUser
                • String ID:
                • API String ID: 1244722697-0
                • Opcode ID: 138e5e5aa9d2a7875ea736f77a993861ec41fd5010d7a407b6426a4d1595d767
                • Instruction ID: 54f0488a3a6654b66c4ba3b349b4cba3254a2078d04d09d6b5e14b9230255c8b
                • Opcode Fuzzy Hash: 138e5e5aa9d2a7875ea736f77a993861ec41fd5010d7a407b6426a4d1595d767
                • Instruction Fuzzy Hash: 8FD05E3226050EABEF019EA4EC02EAE3B69EB04B01F408111FE15C51A1C775D835AB60
                Function 00C72230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                Download Yara Rule
                APIs
                • GetUserNameW.ADVAPI32(?,?), ref: 00C72242
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: NameUser
                • String ID:
                • API String ID: 2645101109-0
                • Opcode ID: 95d7e31fd5ffe4a7db2583079b47039041dba0e72b3c6bb85688942a18b505a9
                • Instruction ID: 889484ae5c6ab2e3e1af54e2770dce02f262e47fd6f7121ccd5e32bb7e9b5985
                • Opcode Fuzzy Hash: 95d7e31fd5ffe4a7db2583079b47039041dba0e72b3c6bb85688942a18b505a9
                • Instruction Fuzzy Hash: 38C04CF1800109DBDB05DB90D988EEE77BCBB04304F144155A505F2110D7749B448B71
                Function 00C5A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                Download Yara Rule
                APIs
                • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00C5A36A
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: f7876645030072b992f64f9bb89abd13e2522b0456916a5b7f6b06ff1293afd1
                • Instruction ID: 9678e7ed376e4e5c09823b7b603f5bc365d43f196006eee6cfaf5a2c299c2328
                • Opcode Fuzzy Hash: f7876645030072b992f64f9bb89abd13e2522b0456916a5b7f6b06ff1293afd1
                • Instruction Fuzzy Hash: E0A0113000020CAB8A002B82EC08A88BFACEA002A0B008020F80E802328B32A8228A80
                Function 00C48A0E Relevance: .6, Instructions: 608COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a3f68f3a168b061929145b1e27d786a019e70ff8222b1197d4957c5334cf4bbe
                • Instruction ID: 8e8295155000228e0caa501b8c7b41a9a31aba518831846b6347ab081d1110fb
                • Opcode Fuzzy Hash: a3f68f3a168b061929145b1e27d786a019e70ff8222b1197d4957c5334cf4bbe
                • Instruction Fuzzy Hash: 78225830901656CBDF289F29C4D477D77A1FF01308F68846AE8629B2D1EB70DE89DB64
                Function 00C52405 Relevance: .3, Instructions: 345COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                • Instruction ID: 76772912846d9248982b6291950184974c18a1aaaf4f1cff5547dfbe4af0ec95
                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                • Instruction Fuzzy Hash: 5FC1843A20905309DB2D867AD47413EBAE15AA37B231E075DECB3CB5C5EF10D6ACD624
                Function 00C5283A Relevance: .3, Instructions: 341COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                • Instruction ID: 6624171826bcffa8417b98a6d1d1b705d1e1885d395555a9ce7593a4dd8a3619
                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                • Instruction Fuzzy Hash: EEC1B83A2090930ADB2D4639943413EBBE15AA37B231E075DECB3DB5C5EF10D6AC9614
                Function 00C51BB8 Relevance: .3, Instructions: 323COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                • Instruction ID: 936627608ec81029179419d4e1f8fb21c81936c158b800f1673cfe0756ace6a1
                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                • Instruction Fuzzy Hash: 49C1893A20919309DF1D467A943823EBAE15AA27B731E075DECB3CB5C4EF10D6ACD614
                Function 015DFDE0 Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2159501042.00000000015DC000.00000040.00000020.00020000.00000000.sdmp, Offset: 015DC000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_15dc000_W1POMvaEjU.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                • Instruction ID: 3aeed33a23d27c83c6abba60339951057c7c684f73f2dd0c19f3321379eaff15
                • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                • Instruction Fuzzy Hash: 2E41C171D1051CEBCF48CFADC991AAEBBF2EF88201F548299D516AB345D730AB41DB80
                Function 015DFCD0 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2159501042.00000000015DC000.00000040.00000020.00020000.00000000.sdmp, Offset: 015DC000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_15dc000_W1POMvaEjU.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                • Instruction ID: cf62bb28c9a2fae5d0dfc1b50faa331ac9263207b24cdfccc7aadbd05bb2da72
                • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                • Instruction Fuzzy Hash: A2019278A01109EFCB54DF98C5909AEF7F5FF88310F20859AD81AAB301D730AE52DB80
                Function 015DFC70 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2159501042.00000000015DC000.00000040.00000020.00020000.00000000.sdmp, Offset: 015DC000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_15dc000_W1POMvaEjU.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                • Instruction ID: e1a773f802d735bce155ec060cb0b5eb58ecf67844d5a79a402574c4e9b2b67b
                • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                • Instruction Fuzzy Hash: 5D019278A04109EFCB54DF98C5909AEF7F5FB48310F20859ADD09AB341D730AE52DB80
                Function 015DE630 Relevance: .0, Instructions: 6COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2159501042.00000000015DC000.00000040.00000020.00020000.00000000.sdmp, Offset: 015DC000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_15dc000_W1POMvaEjU.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                Function 00CA7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                Download Yara Rule
                APIs
                • DeleteObject.GDI32(00000000), ref: 00CA7B70
                • DeleteObject.GDI32(00000000), ref: 00CA7B82
                • DestroyWindow.USER32 ref: 00CA7B90
                • GetDesktopWindow.USER32 ref: 00CA7BAA
                • GetWindowRect.USER32(00000000), ref: 00CA7BB1
                • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00CA7CF2
                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00CA7D02
                • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA7D4A
                • GetClientRect.USER32(00000000,?), ref: 00CA7D56
                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00CA7D90
                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA7DB2
                • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA7DC5
                • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA7DD0
                • GlobalLock.KERNEL32(00000000), ref: 00CA7DD9
                • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA7DE8
                • GlobalUnlock.KERNEL32(00000000), ref: 00CA7DF1
                • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA7DF8
                • GlobalFree.KERNEL32(00000000), ref: 00CA7E03
                • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA7E15
                • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00CC2CAC,00000000), ref: 00CA7E2B
                • GlobalFree.KERNEL32(00000000), ref: 00CA7E3B
                • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00CA7E61
                • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00CA7E80
                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA7EA2
                • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA808F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                • String ID: $AutoIt v3$DISPLAY$static
                • API String ID: 2211948467-2373415609
                • Opcode ID: 3e32e008d34ad2cddc41b1dbae7a505ae305d4265e1456c7dcbcfba4f774602e
                • Instruction ID: df75fc2345ec5137b5ff81c3adda352f174203371a344bbd67bac956777c8e33
                • Opcode Fuzzy Hash: 3e32e008d34ad2cddc41b1dbae7a505ae305d4265e1456c7dcbcfba4f774602e
                • Instruction Fuzzy Hash: 2A026D71900119EFDB14DFA8DC89FAE7BB9FB49314F148658F915AB2A1CB70AD01CB60
                Function 00CB37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                Download Yara Rule
                APIs
                • CharUpperBuffW.USER32(?,?,00CBF910), ref: 00CB38AF
                • IsWindowVisible.USER32(?), ref: 00CB38D3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: BuffCharUpperVisibleWindow
                • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                • API String ID: 4105515805-45149045
                • Opcode ID: 3bd01d0bbe50f78ff7edc429aa5a4e0aaacc7b6b06b7b9e72a19695efcfc844e
                • Instruction ID: 99af5c1fd94d1b6623450b75577385fb85d9509b33e725e3d329185154d30957
                • Opcode Fuzzy Hash: 3bd01d0bbe50f78ff7edc429aa5a4e0aaacc7b6b06b7b9e72a19695efcfc844e
                • Instruction Fuzzy Hash: B4D1BF342043468BCB14EF55C851ABEBBA1EF94344F14455CBC869B3E2CB31EE4AEB46
                Function 00CBA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                Download Yara Rule
                APIs
                • SetTextColor.GDI32(?,00000000), ref: 00CBA89F
                • GetSysColorBrush.USER32(0000000F), ref: 00CBA8D0
                • GetSysColor.USER32(0000000F), ref: 00CBA8DC
                • SetBkColor.GDI32(?,000000FF), ref: 00CBA8F6
                • SelectObject.GDI32(?,?), ref: 00CBA905
                • InflateRect.USER32(?,000000FF,000000FF), ref: 00CBA930
                • GetSysColor.USER32(00000010), ref: 00CBA938
                • CreateSolidBrush.GDI32(00000000), ref: 00CBA93F
                • FrameRect.USER32(?,?,00000000), ref: 00CBA94E
                • DeleteObject.GDI32(00000000), ref: 00CBA955
                • InflateRect.USER32(?,000000FE,000000FE), ref: 00CBA9A0
                • FillRect.USER32(?,?,?), ref: 00CBA9D2
                • GetWindowLongW.USER32(?,000000F0), ref: 00CBA9FD
                  • Part of subcall function 00CBAB60: GetSysColor.USER32(00000012), ref: 00CBAB99
                  • Part of subcall function 00CBAB60: SetTextColor.GDI32(?,?), ref: 00CBAB9D
                  • Part of subcall function 00CBAB60: GetSysColorBrush.USER32(0000000F), ref: 00CBABB3
                  • Part of subcall function 00CBAB60: GetSysColor.USER32(0000000F), ref: 00CBABBE
                  • Part of subcall function 00CBAB60: GetSysColor.USER32(00000011), ref: 00CBABDB
                  • Part of subcall function 00CBAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CBABE9
                  • Part of subcall function 00CBAB60: SelectObject.GDI32(?,00000000), ref: 00CBABFA
                  • Part of subcall function 00CBAB60: SetBkColor.GDI32(?,00000000), ref: 00CBAC03
                  • Part of subcall function 00CBAB60: SelectObject.GDI32(?,?), ref: 00CBAC10
                  • Part of subcall function 00CBAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00CBAC2F
                  • Part of subcall function 00CBAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CBAC46
                  • Part of subcall function 00CBAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00CBAC5B
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                • String ID:
                • API String ID: 4124339563-0
                • Opcode ID: f105667b31e672551d2b12072d807f009b01a4256083c1f570b77892c0feb4a7
                • Instruction ID: 8e2dfb4cb75933612492cf0b53f3d96fde8be19db5edb163a48e89b580648789
                • Opcode Fuzzy Hash: f105667b31e672551d2b12072d807f009b01a4256083c1f570b77892c0feb4a7
                • Instruction Fuzzy Hash: B8A15D72408305AFD7109F64DC08BAF7BA9FB88321F104B2DF9A2962E1D771D946DB52
                Function 00CA77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(00000000), ref: 00CA77F1
                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00CA78B0
                • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00CA78EE
                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00CA7900
                • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00CA7946
                • GetClientRect.USER32(00000000,?), ref: 00CA7952
                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00CA7996
                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CA79A5
                • GetStockObject.GDI32(00000011), ref: 00CA79B5
                • SelectObject.GDI32(00000000,00000000), ref: 00CA79B9
                • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00CA79C9
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CA79D2
                • DeleteDC.GDI32(00000000), ref: 00CA79DB
                • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00CA7A07
                • SendMessageW.USER32(00000030,00000000,00000001), ref: 00CA7A1E
                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00CA7A59
                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00CA7A6D
                • SendMessageW.USER32(00000404,00000001,00000000), ref: 00CA7A7E
                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00CA7AAE
                • GetStockObject.GDI32(00000011), ref: 00CA7AB9
                • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00CA7AC4
                • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00CA7ACE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                • API String ID: 2910397461-517079104
                • Opcode ID: b39b04b407cf170151cae4fe437cf1549f0a8bc9d57b768c38c6003b8e4924f1
                • Instruction ID: 7eaa5ed20741e7de71e4af2fd445eb6c1f281d69d4b7eada4a29216f0cc68771
                • Opcode Fuzzy Hash: b39b04b407cf170151cae4fe437cf1549f0a8bc9d57b768c38c6003b8e4924f1
                • Instruction Fuzzy Hash: 92A17371A40215BFEB14DFA8DC4AFAE7BB9EB45714F004218FA15A72E0D7B4AD01DB60
                Function 00C9AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 00C9AF89
                • GetDriveTypeW.KERNEL32(?,00CBFAC0,?,\\.\,00CBF910), ref: 00C9B066
                • SetErrorMode.KERNEL32(00000000,00CBFAC0,?,\\.\,00CBF910), ref: 00C9B1C4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ErrorMode$DriveType
                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                • API String ID: 2907320926-4222207086
                • Opcode ID: 4c6f7e3c5dff82d30324cb3655ede0a0c1d650eafd35bdd1bce57e8a7cac9494
                • Instruction ID: 9aac5c1c11744d3063054bbc8712c88c34255c70197187c13ed160c3bd22bef1
                • Opcode Fuzzy Hash: 4c6f7e3c5dff82d30324cb3655ede0a0c1d650eafd35bdd1bce57e8a7cac9494
                • Instruction Fuzzy Hash: 8651C170680385BFCF14DB52FF9A9BD73B0EB14341B204026F41AA7290C775AE42EB42
                Function 00C36A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: __wcsnicmp
                • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                • API String ID: 1038674560-86951937
                • Opcode ID: 017fdba7cd87e8f8e8a3d8941d7bbedc9a271ef2e040376eb88d2f8dffd034e2
                • Instruction ID: bbb8517e3a53326260d62cdd0e9aefa9e56031d2b452d66cdcae7eb9a7cad497
                • Opcode Fuzzy Hash: 017fdba7cd87e8f8e8a3d8941d7bbedc9a271ef2e040376eb88d2f8dffd034e2
                • Instruction Fuzzy Hash: 068128B4610245BBCB30AF65CCC2FAF7768AF14741F048025FD45AA1C2EB60EB85F6A5
                Function 00CB9C8B Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                Download Yara Rule
                APIs
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00CB9D41
                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00CB9DFA
                • SendMessageW.USER32(?,00001102,00000002,?), ref: 00CB9E16
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSend$Window
                • String ID: 0
                • API String ID: 2326795674-4108050209
                • Opcode ID: 8e804a2bea07c6142f42a62e373cfabafc8dc2ee145fdf42a51bfa424991afcc
                • Instruction ID: 1cac65be6ca3b86076fa12c3ad75e65f86516c8f8e92cb49f2abfc75a647a2a8
                • Opcode Fuzzy Hash: 8e804a2bea07c6142f42a62e373cfabafc8dc2ee145fdf42a51bfa424991afcc
                • Instruction Fuzzy Hash: 3E02A030104341AFD725CF24CC49BEABBE5FF49314F04862DFAAA962A1C775DA45CB52
                Function 00CBAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                Download Yara Rule
                APIs
                • GetSysColor.USER32(00000012), ref: 00CBAB99
                • SetTextColor.GDI32(?,?), ref: 00CBAB9D
                • GetSysColorBrush.USER32(0000000F), ref: 00CBABB3
                • GetSysColor.USER32(0000000F), ref: 00CBABBE
                • CreateSolidBrush.GDI32(?), ref: 00CBABC3
                • GetSysColor.USER32(00000011), ref: 00CBABDB
                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CBABE9
                • SelectObject.GDI32(?,00000000), ref: 00CBABFA
                • SetBkColor.GDI32(?,00000000), ref: 00CBAC03
                • SelectObject.GDI32(?,?), ref: 00CBAC10
                • InflateRect.USER32(?,000000FF,000000FF), ref: 00CBAC2F
                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CBAC46
                • GetWindowLongW.USER32(00000000,000000F0), ref: 00CBAC5B
                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CBACA7
                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CBACCE
                • InflateRect.USER32(?,000000FD,000000FD), ref: 00CBACEC
                • DrawFocusRect.USER32(?,?), ref: 00CBACF7
                • GetSysColor.USER32(00000011), ref: 00CBAD05
                • SetTextColor.GDI32(?,00000000), ref: 00CBAD0D
                • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00CBAD21
                • SelectObject.GDI32(?,00CBA869), ref: 00CBAD38
                • DeleteObject.GDI32(?), ref: 00CBAD43
                • SelectObject.GDI32(?,?), ref: 00CBAD49
                • DeleteObject.GDI32(?), ref: 00CBAD4E
                • SetTextColor.GDI32(?,?), ref: 00CBAD54
                • SetBkColor.GDI32(?,?), ref: 00CBAD5E
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                • String ID:
                • API String ID: 1996641542-0
                • Opcode ID: c60fa10c844dfb1ccc82656a3cb14962df62e322321aa5dab7df59aede551eed
                • Instruction ID: 034fc37e39aebfff917d976ce86518b3ea9a5a9b33c9acc47bd616b37a04f4ec
                • Opcode Fuzzy Hash: c60fa10c844dfb1ccc82656a3cb14962df62e322321aa5dab7df59aede551eed
                • Instruction Fuzzy Hash: 98612C71900218FFDB119FA8DC48FEE7B79EB08321F104629F925AB2A1D6759E41DF90
                Function 00CB8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CB8D34
                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CB8D45
                • CharNextW.USER32(0000014E), ref: 00CB8D74
                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CB8DB5
                • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CB8DCB
                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CB8DDC
                • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00CB8DF9
                • SetWindowTextW.USER32(?,0000014E), ref: 00CB8E45
                • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00CB8E5B
                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00CB8E8C
                • _memset.LIBCMT ref: 00CB8EB1
                • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00CB8EFA
                • _memset.LIBCMT ref: 00CB8F59
                • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00CB8F83
                • SendMessageW.USER32(?,00001074,?,00000001), ref: 00CB8FDB
                • SendMessageW.USER32(?,0000133D,?,?), ref: 00CB9088
                • InvalidateRect.USER32(?,00000000,00000001), ref: 00CB90AA
                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CB90F4
                • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CB9121
                • DrawMenuBar.USER32(?), ref: 00CB9130
                • SetWindowTextW.USER32(?,0000014E), ref: 00CB9158
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                • String ID: 0
                • API String ID: 1073566785-4108050209
                • Opcode ID: 0bb6b45641654566bbfc53038ad44a893c920b04789f3840737460d6528a4003
                • Instruction ID: 223cde142eba0accf160801e39a65e4283dd06486c72d23fd712952517f8fce0
                • Opcode Fuzzy Hash: 0bb6b45641654566bbfc53038ad44a893c920b04789f3840737460d6528a4003
                • Instruction Fuzzy Hash: E9E19374900209ABDF209F65CC84FFE7BBDEF15710F10815AF925A6290DB709A85DF60
                Function 00CB4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                Download Yara Rule
                APIs
                • GetCursorPos.USER32(?), ref: 00CB4C51
                • GetDesktopWindow.USER32 ref: 00CB4C66
                • GetWindowRect.USER32(00000000), ref: 00CB4C6D
                • GetWindowLongW.USER32(?,000000F0), ref: 00CB4CCF
                • DestroyWindow.USER32(?), ref: 00CB4CFB
                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CB4D24
                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CB4D42
                • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00CB4D68
                • SendMessageW.USER32(?,00000421,?,?), ref: 00CB4D7D
                • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00CB4D90
                • IsWindowVisible.USER32(?), ref: 00CB4DB0
                • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00CB4DCB
                • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00CB4DDF
                • GetWindowRect.USER32(?,?), ref: 00CB4DF7
                • MonitorFromPoint.USER32(?,?,00000002), ref: 00CB4E1D
                • GetMonitorInfoW.USER32(00000000,?), ref: 00CB4E37
                • CopyRect.USER32(?,?), ref: 00CB4E4E
                • SendMessageW.USER32(?,00000412,00000000), ref: 00CB4EB9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                • String ID: ($0$tooltips_class32
                • API String ID: 698492251-4156429822
                • Opcode ID: 5eccd5cfb6d65fb163b2905d473013ad597acd0dbbd8578413c8dff122e72853
                • Instruction ID: 9813e247c47557bb29497c7653e33e069b5aec6cfeb351f07a14453e4ac96f2d
                • Opcode Fuzzy Hash: 5eccd5cfb6d65fb163b2905d473013ad597acd0dbbd8578413c8dff122e72853
                • Instruction Fuzzy Hash: A7B16B71618340AFDB08DF65C845BAABBE4FF88710F008A1DF5999B2A2D771ED05CB91
                Function 00C946D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                Download Yara Rule
                APIs
                • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C946E8
                • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C9470E
                • _wcscpy.LIBCMT ref: 00C9473C
                • _wcscmp.LIBCMT ref: 00C94747
                • _wcscat.LIBCMT ref: 00C9475D
                • _wcsstr.LIBCMT ref: 00C94768
                • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C94784
                • _wcscat.LIBCMT ref: 00C947CD
                • _wcscat.LIBCMT ref: 00C947D4
                • _wcsncpy.LIBCMT ref: 00C947FF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                • API String ID: 699586101-1459072770
                • Opcode ID: 8ddf1347e4eb0fe30ada261015a9b507e2ba8f165dc6f71ee29157632b3744cc
                • Instruction ID: 6fee2979f11889b75222484c799d9f3e8c8edf83ad5da804f4209d641e7bf4f3
                • Opcode Fuzzy Hash: 8ddf1347e4eb0fe30ada261015a9b507e2ba8f165dc6f71ee29157632b3744cc
                • Instruction Fuzzy Hash: 40416B359002147BDB14ABB49C47FBF77ACDF42751F040169FD04F6182EB30AA46A3A9
                Function 00C327D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                Download Yara Rule
                APIs
                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C328BC
                • GetSystemMetrics.USER32(00000007), ref: 00C328C4
                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C328EF
                • GetSystemMetrics.USER32(00000008), ref: 00C328F7
                • GetSystemMetrics.USER32(00000004), ref: 00C3291C
                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C32939
                • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C32949
                • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C3297C
                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C32990
                • GetClientRect.USER32(00000000,000000FF), ref: 00C329AE
                • GetStockObject.GDI32(00000011), ref: 00C329CA
                • SendMessageW.USER32(00000000,00000030,00000000), ref: 00C329D5
                  • Part of subcall function 00C32344: GetCursorPos.USER32(?), ref: 00C32357
                  • Part of subcall function 00C32344: ScreenToClient.USER32(00CF67B0,?), ref: 00C32374
                  • Part of subcall function 00C32344: GetAsyncKeyState.USER32(00000001), ref: 00C32399
                  • Part of subcall function 00C32344: GetAsyncKeyState.USER32(00000002), ref: 00C323A7
                • SetTimer.USER32(00000000,00000000,00000028,00C31256), ref: 00C329FC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                • String ID: AutoIt v3 GUI
                • API String ID: 1458621304-248962490
                • Opcode ID: 2fbcbf135545ee112ddd9c14f1c9df283dceadb7c538aecc005b3287c3664c8c
                • Instruction ID: 1857cf80de8bd279cf5d94a898a38fd00d8a3004229fc60cd47aa33b21cc45c9
                • Opcode Fuzzy Hash: 2fbcbf135545ee112ddd9c14f1c9df283dceadb7c538aecc005b3287c3664c8c
                • Instruction Fuzzy Hash: 16B15071600209AFDF24DFA8DC85BEE7BB4FB08314F108229FA15A72E0DB74A941DB51
                Function 00CB4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                Download Yara Rule
                APIs
                • CharUpperBuffW.USER32(?,?), ref: 00CB40F6
                • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00CB41B6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: BuffCharMessageSendUpper
                • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                • API String ID: 3974292440-719923060
                • Opcode ID: 678ba9f35eb539dd5c1062416318efc13e0d2473f9ce59db6f6e4b2bee69f29e
                • Instruction ID: 3f1d5ae611b4c1f4dfa3da3a249a808e2f0a685720470b480f3cf071de5c5aeb
                • Opcode Fuzzy Hash: 678ba9f35eb539dd5c1062416318efc13e0d2473f9ce59db6f6e4b2bee69f29e
                • Instruction Fuzzy Hash: B5A17F702283429BCB18EF15C951ABAB7E5FF84314F14496CB8A69B2D3DB70ED05EB41
                Function 00CA52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                Download Yara Rule
                APIs
                • LoadCursorW.USER32(00000000,00007F89), ref: 00CA5309
                • LoadCursorW.USER32(00000000,00007F8A), ref: 00CA5314
                • LoadCursorW.USER32(00000000,00007F00), ref: 00CA531F
                • LoadCursorW.USER32(00000000,00007F03), ref: 00CA532A
                • LoadCursorW.USER32(00000000,00007F8B), ref: 00CA5335
                • LoadCursorW.USER32(00000000,00007F01), ref: 00CA5340
                • LoadCursorW.USER32(00000000,00007F81), ref: 00CA534B
                • LoadCursorW.USER32(00000000,00007F88), ref: 00CA5356
                • LoadCursorW.USER32(00000000,00007F80), ref: 00CA5361
                • LoadCursorW.USER32(00000000,00007F86), ref: 00CA536C
                • LoadCursorW.USER32(00000000,00007F83), ref: 00CA5377
                • LoadCursorW.USER32(00000000,00007F85), ref: 00CA5382
                • LoadCursorW.USER32(00000000,00007F82), ref: 00CA538D
                • LoadCursorW.USER32(00000000,00007F84), ref: 00CA5398
                • LoadCursorW.USER32(00000000,00007F04), ref: 00CA53A3
                • LoadCursorW.USER32(00000000,00007F02), ref: 00CA53AE
                • GetCursorInfo.USER32(?), ref: 00CA53BE
                • GetLastError.KERNEL32(00000001,00000000), ref: 00CA53E9
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Cursor$Load$ErrorInfoLast
                • String ID:
                • API String ID: 3215588206-0
                • Opcode ID: 4a674a1ed043d140952e98f63140d6a0445b8652264e1f2900387de198eb6daf
                • Instruction ID: 0e0a4d1f8d5b64f9732db059a230ee8042f580152a4ba10f3e95d5efb324f274
                • Opcode Fuzzy Hash: 4a674a1ed043d140952e98f63140d6a0445b8652264e1f2900387de198eb6daf
                • Instruction Fuzzy Hash: 24418170E083196ADB109FBA8C4996EFFF8EF45B10F10452FA519E7290DAB8A501CF61
                Function 00C8AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                Download Yara Rule
                APIs
                • GetClassNameW.USER32(?,?,00000100), ref: 00C8AAA5
                • __swprintf.LIBCMT ref: 00C8AB46
                • _wcscmp.LIBCMT ref: 00C8AB59
                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C8ABAE
                • _wcscmp.LIBCMT ref: 00C8ABEA
                • GetClassNameW.USER32(?,?,00000400), ref: 00C8AC21
                • GetDlgCtrlID.USER32(?), ref: 00C8AC73
                • GetWindowRect.USER32(?,?), ref: 00C8ACA9
                • GetParent.USER32(?), ref: 00C8ACC7
                • ScreenToClient.USER32(00000000), ref: 00C8ACCE
                • GetClassNameW.USER32(?,?,00000100), ref: 00C8AD48
                • _wcscmp.LIBCMT ref: 00C8AD5C
                • GetWindowTextW.USER32(?,?,00000400), ref: 00C8AD82
                • _wcscmp.LIBCMT ref: 00C8AD96
                  • Part of subcall function 00C5386C: _iswctype.LIBCMT ref: 00C53874
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                • String ID: %s%u
                • API String ID: 3744389584-679674701
                • Opcode ID: c192a30648c8d3c1eb3a98d5bb4f1a3ed1c039735f4c9fea9189e16c9d133991
                • Instruction ID: f0d6b89a1966721adf5b71f963f545c709865bbe1c327920df61f9c04a6b74a4
                • Opcode Fuzzy Hash: c192a30648c8d3c1eb3a98d5bb4f1a3ed1c039735f4c9fea9189e16c9d133991
                • Instruction Fuzzy Hash: DEA1D571204706AFE714EF20C884BAAF7E8FF0435AF00462BF9A9D2550D730EA55DB96
                Function 00C8B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                Download Yara Rule
                APIs
                • GetClassNameW.USER32(00000008,?,00000400), ref: 00C8B3DB
                • _wcscmp.LIBCMT ref: 00C8B3EC
                • GetWindowTextW.USER32(00000001,?,00000400), ref: 00C8B414
                • CharUpperBuffW.USER32(?,00000000), ref: 00C8B431
                • _wcscmp.LIBCMT ref: 00C8B44F
                • _wcsstr.LIBCMT ref: 00C8B460
                • GetClassNameW.USER32(00000018,?,00000400), ref: 00C8B498
                • _wcscmp.LIBCMT ref: 00C8B4A8
                • GetWindowTextW.USER32(00000002,?,00000400), ref: 00C8B4CF
                • GetClassNameW.USER32(00000018,?,00000400), ref: 00C8B518
                • _wcscmp.LIBCMT ref: 00C8B528
                • GetClassNameW.USER32(00000010,?,00000400), ref: 00C8B550
                • GetWindowRect.USER32(00000004,?), ref: 00C8B5B9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                • String ID: @$ThumbnailClass
                • API String ID: 1788623398-1539354611
                • Opcode ID: 1df9bd1d4376b774b7da9c7bac093da0bc71b43f76d261609b0729f50005a4ad
                • Instruction ID: a48eaa3e97bbc26a12646ad6e8960363a98b142da3344f255d81dd71f17d70e1
                • Opcode Fuzzy Hash: 1df9bd1d4376b774b7da9c7bac093da0bc71b43f76d261609b0729f50005a4ad
                • Instruction Fuzzy Hash: 8F81B2710083469BDB14EF10C885FAA7BE8FF84318F04856DFD959A1A2EB30DE49CB65
                Function 00C8B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: __wcsnicmp
                • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                • API String ID: 1038674560-1810252412
                • Opcode ID: 88f18903b57f0c16684bb8adb2c4caec23de8d3d0163dfb4c9ef21f7b73f17d3
                • Instruction ID: ede3fdd17e7327dc2a37d6c9351861f2c5ae7c824edf59b408054e4f6dac7d36
                • Opcode Fuzzy Hash: 88f18903b57f0c16684bb8adb2c4caec23de8d3d0163dfb4c9ef21f7b73f17d3
                • Instruction Fuzzy Hash: 5631E171A54385A6DF20FA62CD43EEE77A8DF20794F600129F811710E2EF716F08E659
                Function 00C8C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                Download Yara Rule
                APIs
                • LoadIconW.USER32(00000063), ref: 00C8C4D4
                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C8C4E6
                • SetWindowTextW.USER32(?,?), ref: 00C8C4FD
                • GetDlgItem.USER32(?,000003EA), ref: 00C8C512
                • SetWindowTextW.USER32(00000000,?), ref: 00C8C518
                • GetDlgItem.USER32(?,000003E9), ref: 00C8C528
                • SetWindowTextW.USER32(00000000,?), ref: 00C8C52E
                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C8C54F
                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C8C569
                • GetWindowRect.USER32(?,?), ref: 00C8C572
                • SetWindowTextW.USER32(?,?), ref: 00C8C5DD
                • GetDesktopWindow.USER32 ref: 00C8C5E3
                • GetWindowRect.USER32(00000000), ref: 00C8C5EA
                • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00C8C636
                • GetClientRect.USER32(?,?), ref: 00C8C643
                • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00C8C668
                • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C8C693
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                • String ID:
                • API String ID: 3869813825-0
                • Opcode ID: cee81b5a43a7d200f6b4a624f1de8efdf741ce66f43307fcefeb512d6c2645b8
                • Instruction ID: 67e1a88fb6a71ad47fe30514d40b3ca5a7451d8d6f8d15b7a152715ed2529c4a
                • Opcode Fuzzy Hash: cee81b5a43a7d200f6b4a624f1de8efdf741ce66f43307fcefeb512d6c2645b8
                • Instruction Fuzzy Hash: 7F519170900709AFDB20AFA8DD85B6EBBB5FF04708F00462DF692A26A0D770E945DB54
                Function 00CBA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00CBA4C8
                • DestroyWindow.USER32(?,?), ref: 00CBA542
                  • Part of subcall function 00C37D2C: _memmove.LIBCMT ref: 00C37D66
                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CBA5BC
                • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CBA5DE
                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CBA5F1
                • DestroyWindow.USER32(00000000), ref: 00CBA613
                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C30000,00000000), ref: 00CBA64A
                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CBA663
                • GetDesktopWindow.USER32 ref: 00CBA67C
                • GetWindowRect.USER32(00000000), ref: 00CBA683
                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CBA69B
                • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CBA6B3
                  • Part of subcall function 00C325DB: GetWindowLongW.USER32(?,000000EB), ref: 00C325EC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                • String ID: 0$tooltips_class32
                • API String ID: 1297703922-3619404913
                • Opcode ID: 28befb29ea2ebed2ae1b9511b55f4543e2f74ad5bec4491b2b87ca29a70e6bf8
                • Instruction ID: 199d65fdf607fbd2467866c40efc57dd74aa77191775bf13d807db27a769e1d0
                • Opcode Fuzzy Hash: 28befb29ea2ebed2ae1b9511b55f4543e2f74ad5bec4491b2b87ca29a70e6bf8
                • Instruction Fuzzy Hash: 8571ADB1140205AFD720CF28CC49FBA7BE9FB88304F48462DF995872A1D771EA46DB12
                Function 00CBC8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C32612: GetWindowLongW.USER32(?,000000EB), ref: 00C32623
                • DragQueryPoint.SHELL32(?,?), ref: 00CBC917
                  • Part of subcall function 00CBADF1: ClientToScreen.USER32(?,?), ref: 00CBAE1A
                  • Part of subcall function 00CBADF1: GetWindowRect.USER32(?,?), ref: 00CBAE90
                  • Part of subcall function 00CBADF1: PtInRect.USER32(?,?,00CBC304), ref: 00CBAEA0
                • SendMessageW.USER32(?,000000B0,?,?), ref: 00CBC980
                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CBC98B
                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CBC9AE
                • _wcscat.LIBCMT ref: 00CBC9DE
                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CBC9F5
                • SendMessageW.USER32(?,000000B0,?,?), ref: 00CBCA0E
                • SendMessageW.USER32(?,000000B1,?,?), ref: 00CBCA25
                • SendMessageW.USER32(?,000000B1,?,?), ref: 00CBCA47
                • DragFinish.SHELL32(?), ref: 00CBCA4E
                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00CBCB41
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                • API String ID: 169749273-3440237614
                • Opcode ID: bf10c5c7ba97f70a42c786ed242e3fcad82bc531f872df85d6590b520d8885df
                • Instruction ID: 7bdfcc3fb0dc204f9c0d088a5dce1b412a4e1d3ee1c80254f9036c76cec3bc48
                • Opcode Fuzzy Hash: bf10c5c7ba97f70a42c786ed242e3fcad82bc531f872df85d6590b520d8885df
                • Instruction Fuzzy Hash: 1D615B71108305AFC711EF64CC85EAFBBF8EF88710F000A2EF591962A1DB709A49DB52
                Function 00CB4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                Download Yara Rule
                APIs
                • CharUpperBuffW.USER32(?,?), ref: 00CB46AB
                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CB46F6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: BuffCharMessageSendUpper
                • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                • API String ID: 3974292440-4258414348
                • Opcode ID: 8034df5cc06cccf188db8b108c9be7d5fff6a2db2e6921bfd9ef1c248f1894bf
                • Instruction ID: 1d696d988c8f016165784b4b4808fb0bb202bf67c25bf6649a1fd0a19443c373
                • Opcode Fuzzy Hash: 8034df5cc06cccf188db8b108c9be7d5fff6a2db2e6921bfd9ef1c248f1894bf
                • Instruction Fuzzy Hash: 579192742183029FCB18EF15C851AAEB7A5EF44314F14445CF8969B3A3CB71ED4AEB81
                Function 00CBBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                Download Yara Rule
                APIs
                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CBBB6E
                • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00CB9431), ref: 00CBBBCA
                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CBBC03
                • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00CBBC46
                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CBBC7D
                • FreeLibrary.KERNEL32(?), ref: 00CBBC89
                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CBBC99
                • DestroyIcon.USER32(?,?,?,?,?,00CB9431), ref: 00CBBCA8
                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CBBCC5
                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CBBCD1
                  • Part of subcall function 00C5313D: __wcsicmp_l.LIBCMT ref: 00C531C6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                • String ID: .dll$.exe$.icl
                • API String ID: 1212759294-1154884017
                • Opcode ID: 9230eefd2e37668e7ad9fc014182ae7a482941f6f03bb4570cc301e3a010ae5a
                • Instruction ID: e20cf45ae7c1fa031254ca63c8013e549c8beae24559dfbce49107c856d06034
                • Opcode Fuzzy Hash: 9230eefd2e37668e7ad9fc014182ae7a482941f6f03bb4570cc301e3a010ae5a
                • Instruction Fuzzy Hash: 8761CE71500619BAEB14DF65CC86FFE7BA8EB08711F104219F825E61C0DBB4AE85DBA0
                Function 00CA762D Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 160windowCOMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 00CA76A2
                • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00CA76AE
                • CreateCompatibleDC.GDI32(?), ref: 00CA76BA
                • SelectObject.GDI32(00000000,?), ref: 00CA76C7
                • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,UTTON), ref: 00CA771B
                • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00CA7757
                • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00CA777B
                • SelectObject.GDI32(00000006,?), ref: 00CA7783
                • DeleteObject.GDI32(?), ref: 00CA778C
                • DeleteDC.GDI32(00000006), ref: 00CA7793
                • ReleaseDC.USER32(00000000,?), ref: 00CA779E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                • String ID: ($UTTON
                • API String ID: 2598888154-3299839706
                • Opcode ID: d6f1e087d93154f91b1f61f1cd4773588935ee67b928f7eeb72aaf9b2ff7b123
                • Instruction ID: 747c6abe6e9c17da9834053fa8f083985c42484d666fa8b7c8074e9d8e46e8e7
                • Opcode Fuzzy Hash: d6f1e087d93154f91b1f61f1cd4773588935ee67b928f7eeb72aaf9b2ff7b123
                • Instruction Fuzzy Hash: 58513975904209EFCB15CFA8DC85FAEBBB9FF49310F14862DF95A97220D631A9418B60
                Function 00C9A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C39997: __itow.LIBCMT ref: 00C399C2
                  • Part of subcall function 00C39997: __swprintf.LIBCMT ref: 00C39A0C
                • CharLowerBuffW.USER32(?,?), ref: 00C9A636
                • GetDriveTypeW.KERNEL32 ref: 00C9A683
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C9A6CB
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C9A702
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C9A730
                  • Part of subcall function 00C37D2C: _memmove.LIBCMT ref: 00C37D66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                • API String ID: 2698844021-4113822522
                • Opcode ID: a76655e2138378edb37a2fb6a1eefe9c0ec20e89fbfc18706a22433d7e7988d2
                • Instruction ID: a6ba89be120c10096665baf0872c33420f6dfc75e9b60ccdd1f8f0ac0c724b3d
                • Opcode Fuzzy Hash: a76655e2138378edb37a2fb6a1eefe9c0ec20e89fbfc18706a22433d7e7988d2
                • Instruction Fuzzy Hash: 99516EB11143059FC710EF25C98196AB7F8FF88718F14496CF896972A1DB31EE0ADB92
                Function 00C9A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                Download Yara Rule
                APIs
                • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C9A47A
                • __swprintf.LIBCMT ref: 00C9A49C
                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C9A4D9
                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C9A4FE
                • _memset.LIBCMT ref: 00C9A51D
                • _wcsncpy.LIBCMT ref: 00C9A559
                • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C9A58E
                • CloseHandle.KERNEL32(00000000), ref: 00C9A599
                • RemoveDirectoryW.KERNEL32(?), ref: 00C9A5A2
                • CloseHandle.KERNEL32(00000000), ref: 00C9A5AC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                • String ID: :$\$\??\%s
                • API String ID: 2733774712-3457252023
                • Opcode ID: 56f4fbb917a6583a098a241e1d14b79884e8dfd9c96a00f51328d4703a5e5241
                • Instruction ID: 371338ed39ed0a1fa619ab66f550c3e17a9ed933ed618df21af822f17cd0efd8
                • Opcode Fuzzy Hash: 56f4fbb917a6583a098a241e1d14b79884e8dfd9c96a00f51328d4703a5e5241
                • Instruction Fuzzy Hash: 0F3190B6600219ABDB219FA0DC49FEF73BCEF88701F1041BAF918D2160E77097858B65
                Function 00CBBCED Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00CB9476,?,?), ref: 00CBBD10
                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00CB9476,?,?,00000000,?), ref: 00CBBD27
                • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00CB9476,?,?,00000000,?), ref: 00CBBD32
                • CloseHandle.KERNEL32(00000000,?,?,?,?,00CB9476,?,?,00000000,?), ref: 00CBBD3F
                • GlobalLock.KERNEL32(00000000), ref: 00CBBD48
                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00CB9476,?,?,00000000,?), ref: 00CBBD57
                • GlobalUnlock.KERNEL32(00000000), ref: 00CBBD60
                • CloseHandle.KERNEL32(00000000,?,?,?,?,00CB9476,?,?,00000000,?), ref: 00CBBD67
                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00CB9476,?,?,00000000,?), ref: 00CBBD78
                • OleLoadPicture.OLEAUT32(?,00000000,00000000,00CC2CAC,?), ref: 00CBBD91
                • GlobalFree.KERNEL32(00000000), ref: 00CBBDA1
                • GetObjectW.GDI32(00000000,00000018,?), ref: 00CBBDC5
                • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00CBBDF0
                • DeleteObject.GDI32(00000000), ref: 00CBBE18
                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CBBE2E
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                • String ID:
                • API String ID: 3840717409-0
                • Opcode ID: c16694fdc8466c312eee00614715acdbe5c9e4beb01848d4ad9f3f1e899be4e5
                • Instruction ID: 241fbf4022d33bb0414238121fee9b18ba22cda33288db06ba0c4d790c15b823
                • Opcode Fuzzy Hash: c16694fdc8466c312eee00614715acdbe5c9e4beb01848d4ad9f3f1e899be4e5
                • Instruction Fuzzy Hash: 73410775600208AFDB119F65DC88FAF7BB8EF89711F104169F915D7260D7749E42CB60
                Function 00C9DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                Download Yara Rule
                APIs
                • __wsplitpath.LIBCMT ref: 00C9DC7B
                • _wcscat.LIBCMT ref: 00C9DC93
                • _wcscat.LIBCMT ref: 00C9DCA5
                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C9DCBA
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C9DCCE
                • GetFileAttributesW.KERNEL32(?), ref: 00C9DCE6
                • SetFileAttributesW.KERNEL32(?,00000000), ref: 00C9DD00
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C9DD12
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                • String ID: *.*
                • API String ID: 34673085-438819550
                • Opcode ID: db3f9499678cf038762829dfc8d54e3f0ce9076b691aee5e274adf0aceb00f55
                • Instruction ID: 622ed8f7e948e0dc29e5bd7bd10ad5acedaa21b01978a9687d58c7ac1fffbbb3
                • Opcode Fuzzy Hash: db3f9499678cf038762829dfc8d54e3f0ce9076b691aee5e274adf0aceb00f55
                • Instruction Fuzzy Hash: E58183725043419FCF24EF24C84996EB7E8BF89314F19882EF89AE7250E670DA45DB52
                Function 00CBC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C32612: GetWindowLongW.USER32(?,000000EB), ref: 00C32623
                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CBC4EC
                • GetFocus.USER32 ref: 00CBC4FC
                • GetDlgCtrlID.USER32(00000000), ref: 00CBC507
                • _memset.LIBCMT ref: 00CBC632
                • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00CBC65D
                • GetMenuItemCount.USER32(?), ref: 00CBC67D
                • GetMenuItemID.USER32(?,00000000), ref: 00CBC690
                • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00CBC6C4
                • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00CBC70C
                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CBC744
                • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00CBC779
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                • String ID: 0
                • API String ID: 1296962147-4108050209
                • Opcode ID: 3766c664d8f09b8845509b0dc23605ec193a10011ab96d3a25bf3a467a51f42a
                • Instruction ID: e54cf17f6ec30a55df3e6f7eb01a559ddac30438231fd5e90966fbc939c18973
                • Opcode Fuzzy Hash: 3766c664d8f09b8845509b0dc23605ec193a10011ab96d3a25bf3a467a51f42a
                • Instruction Fuzzy Hash: F9816E702083019FD720DF14C9C4AABBBE8EB88354F00452EF9A597291DB70EA05DBA2
                Function 00C883F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C8874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C88766
                  • Part of subcall function 00C8874A: GetLastError.KERNEL32(?,00C8822A,?,?,?), ref: 00C88770
                  • Part of subcall function 00C8874A: GetProcessHeap.KERNEL32(00000008,?,?,00C8822A,?,?,?), ref: 00C8877F
                  • Part of subcall function 00C8874A: HeapAlloc.KERNEL32(00000000,?,00C8822A,?,?,?), ref: 00C88786
                  • Part of subcall function 00C8874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C8879D
                  • Part of subcall function 00C887E7: GetProcessHeap.KERNEL32(00000008,00C88240,00000000,00000000,?,00C88240,?), ref: 00C887F3
                  • Part of subcall function 00C887E7: HeapAlloc.KERNEL32(00000000,?,00C88240,?), ref: 00C887FA
                  • Part of subcall function 00C887E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C88240,?), ref: 00C8880B
                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C88458
                • _memset.LIBCMT ref: 00C8846D
                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C8848C
                • GetLengthSid.ADVAPI32(?), ref: 00C8849D
                • GetAce.ADVAPI32(?,00000000,?), ref: 00C884DA
                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C884F6
                • GetLengthSid.ADVAPI32(?), ref: 00C88513
                • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C88522
                • HeapAlloc.KERNEL32(00000000), ref: 00C88529
                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C8854A
                • CopySid.ADVAPI32(00000000), ref: 00C88551
                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C88582
                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C885A8
                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C885BC
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                • String ID:
                • API String ID: 3996160137-0
                • Opcode ID: d276eed5a03b307fac0740e7a58f6d4eb9fabfe000df3a7f691a42e61d79b821
                • Instruction ID: 6654039e158a3fb69adf839e6f04ef067197d281ec39476a7bb89bb148887651
                • Opcode Fuzzy Hash: d276eed5a03b307fac0740e7a58f6d4eb9fabfe000df3a7f691a42e61d79b821
                • Instruction Fuzzy Hash: 6B614F7190020AAFDF10EF94DC45AEEBB79FF04304F548269F825A7691DB359A09CF64
                Function 00C9A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                Download Yara Rule
                APIs
                • LoadStringW.USER32(00000066,?,00000FFF,00CBFB78), ref: 00C9A0FC
                  • Part of subcall function 00C37F41: _memmove.LIBCMT ref: 00C37F82
                • LoadStringW.USER32(?,?,00000FFF,?), ref: 00C9A11E
                • __swprintf.LIBCMT ref: 00C9A177
                • __swprintf.LIBCMT ref: 00C9A190
                • _wprintf.LIBCMT ref: 00C9A246
                • _wprintf.LIBCMT ref: 00C9A264
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: LoadString__swprintf_wprintf$_memmove
                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                • API String ID: 311963372-2391861430
                • Opcode ID: 85dfaf35e81a20e968d825bc63296e11f08cfafe23c288c565e5ea71eed86455
                • Instruction ID: 1ec0ca14fdfbd364b292fcb0f076621a17fa7f43d63e012c380a9170f64a1589
                • Opcode Fuzzy Hash: 85dfaf35e81a20e968d825bc63296e11f08cfafe23c288c565e5ea71eed86455
                • Instruction Fuzzy Hash: 32515FB1900609BBCF25EBE0CD86EEEB779AF04304F100265F515721A1EB316F59EBA1
                Function 00C36BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C50B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00C36C6C,?,00008000), ref: 00C50BB7
                  • Part of subcall function 00C348AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C348A1,?,?,00C337C0,?), ref: 00C348CE
                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C36D0D
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C36E5A
                  • Part of subcall function 00C359CD: _wcscpy.LIBCMT ref: 00C35A05
                  • Part of subcall function 00C5387D: _iswctype.LIBCMT ref: 00C53885
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                • API String ID: 537147316-1018226102
                • Opcode ID: 62879ec6728006dbfea7cb6fb8d2f5c92c745d17f70c703028b53253b7faf1d3
                • Instruction ID: 8bf5b087113cea966da0700eed1b9b865ad368d7a9f238ba2991c8925ea2a833
                • Opcode Fuzzy Hash: 62879ec6728006dbfea7cb6fb8d2f5c92c745d17f70c703028b53253b7faf1d3
                • Instruction Fuzzy Hash: AE02BF741183419FC724EF24C881AAFBBE5FF99314F14491EF496972A1DB30DA49EB42
                Function 00C345DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00C345F9
                • GetMenuItemCount.USER32(00CF6890), ref: 00C6D7CD
                • GetMenuItemCount.USER32(00CF6890), ref: 00C6D87D
                • GetCursorPos.USER32(?), ref: 00C6D8C1
                • SetForegroundWindow.USER32(00000000), ref: 00C6D8CA
                • TrackPopupMenuEx.USER32(00CF6890,00000000,?,00000000,00000000,00000000), ref: 00C6D8DD
                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C6D8E9
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                • String ID:
                • API String ID: 2751501086-0
                • Opcode ID: 4c93f893f9d8446c87be8c59100094bebed689ff9e1c7c39235ddc6afce53e2b
                • Instruction ID: f8c2eabafadf937095f374adf03963cbb61fd3785f4ddd06b018ba19547da566
                • Opcode Fuzzy Hash: 4c93f893f9d8446c87be8c59100094bebed689ff9e1c7c39235ddc6afce53e2b
                • Instruction Fuzzy Hash: 6E71F570B40205BEEB358F65DC89FEABF64FF05364F200226F526A61E1C7B16960DB91
                Function 00CB10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                Download Yara Rule
                APIs
                • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CB0038,?,?), ref: 00CB10BC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: BuffCharUpper
                • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                • API String ID: 3964851224-909552448
                • Opcode ID: 1babd9d1d205c8907b266fc402f0fa1d07972849432cc1008a40217d00a8ba33
                • Instruction ID: 32efa3f059336686ae7837bbba68fee9ebc676ddd12d0e4964bde08434760039
                • Opcode Fuzzy Hash: 1babd9d1d205c8907b266fc402f0fa1d07972849432cc1008a40217d00a8ba33
                • Instruction Fuzzy Hash: B5417BB015028B8BCF10EF95DDA1AEF3724AF11310FA44554FCA19B291DB30AE5ADBA1
                Function 00C95569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C37D2C: _memmove.LIBCMT ref: 00C37D66
                  • Part of subcall function 00C37A84: _memmove.LIBCMT ref: 00C37B0D
                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C955D2
                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C955E8
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C955F9
                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C9560B
                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C9561C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: SendString$_memmove
                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                • API String ID: 2279737902-1007645807
                • Opcode ID: 422ac411a4c9e5d272b92fc7fb31783099872472f22781d4059030939e86a4b3
                • Instruction ID: 02dfe6b5c8ac363c61070815dafd13d295d7c34102d1d3e8ff74a5f8f1faa6b1
                • Opcode Fuzzy Hash: 422ac411a4c9e5d272b92fc7fb31783099872472f22781d4059030939e86a4b3
                • Instruction Fuzzy Hash: 0D1194606605A97DD721F762CC8ADFF7F7CEF91B00F400569B411A20E1DE605E05DAB1
                Function 00C948F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                • String ID: 0.0.0.0
                • API String ID: 208665112-3771769585
                • Opcode ID: 76eb82b08d0af7ee25849fad2afb0de15fd17f7ffbcfb12d1821d48f189a84dc
                • Instruction ID: 12f5ee62fe5660fcb06c8fc2d244eca2368b9ec3e60f7c53a8f1f2b64bb96f46
                • Opcode Fuzzy Hash: 76eb82b08d0af7ee25849fad2afb0de15fd17f7ffbcfb12d1821d48f189a84dc
                • Instruction Fuzzy Hash: 6D11D536904114ABCB24EB64AC4AFDF77AC9B41711F0502B9F80896191EF719BC69751
                Function 00C95217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                Download Yara Rule
                APIs
                • timeGetTime.WINMM ref: 00C9521C
                  • Part of subcall function 00C50719: timeGetTime.WINMM(?,7694B400,00C40FF9), ref: 00C5071D
                • Sleep.KERNEL32(0000000A), ref: 00C95248
                • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00C9526C
                • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C9528E
                • SetActiveWindow.USER32 ref: 00C952AD
                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C952BB
                • SendMessageW.USER32(00000010,00000000,00000000), ref: 00C952DA
                • Sleep.KERNEL32(000000FA), ref: 00C952E5
                • IsWindow.USER32 ref: 00C952F1
                • EndDialog.USER32(00000000), ref: 00C95302
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                • String ID: BUTTON
                • API String ID: 1194449130-3405671355
                • Opcode ID: f1f4e67ed072296535a0863bcb586d392ea14dee62863955b70703a227a737d8
                • Instruction ID: b9ee8d3bf43b4f63759ef6fbf09b361f4bda41731dd6f8a5dfa26b305bc043f9
                • Opcode Fuzzy Hash: f1f4e67ed072296535a0863bcb586d392ea14dee62863955b70703a227a737d8
                • Instruction Fuzzy Hash: 5E218EB0204B05AFEB125B70ED8DB3E3B69FB54786F111638F501922B1DBA19D46DB22
                Function 00C9D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C39997: __itow.LIBCMT ref: 00C399C2
                  • Part of subcall function 00C39997: __swprintf.LIBCMT ref: 00C39A0C
                • CoInitialize.OLE32(00000000), ref: 00C9D855
                • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C9D8E8
                • SHGetDesktopFolder.SHELL32(?), ref: 00C9D8FC
                • CoCreateInstance.OLE32(00CC2D7C,00000000,00000001,00CEA89C,?), ref: 00C9D948
                • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C9D9B7
                • CoTaskMemFree.OLE32(?,?), ref: 00C9DA0F
                • _memset.LIBCMT ref: 00C9DA4C
                • SHBrowseForFolderW.SHELL32(?), ref: 00C9DA88
                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C9DAAB
                • CoTaskMemFree.OLE32(00000000), ref: 00C9DAB2
                • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00C9DAE9
                • CoUninitialize.OLE32(00000001,00000000), ref: 00C9DAEB
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                • String ID:
                • API String ID: 1246142700-0
                • Opcode ID: 10f2af4ef399dbc8b1cc7e73e9460b011bedfc6b7bd0e26b543ca51f028c0b11
                • Instruction ID: 2e26f14e77f051e5e9ad93253f35ae9eceb02023672bf565b672c9f55eb1623b
                • Opcode Fuzzy Hash: 10f2af4ef399dbc8b1cc7e73e9460b011bedfc6b7bd0e26b543ca51f028c0b11
                • Instruction Fuzzy Hash: 4BB1FB75A00109AFDB14DF64C888EAEBBB9FF49314F048469F90AEB251DB30EE45DB54
                Function 00C9052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?), ref: 00C905A7
                • SetKeyboardState.USER32(?), ref: 00C90612
                • GetAsyncKeyState.USER32(000000A0), ref: 00C90632
                • GetKeyState.USER32(000000A0), ref: 00C90649
                • GetAsyncKeyState.USER32(000000A1), ref: 00C90678
                • GetKeyState.USER32(000000A1), ref: 00C90689
                • GetAsyncKeyState.USER32(00000011), ref: 00C906B5
                • GetKeyState.USER32(00000011), ref: 00C906C3
                • GetAsyncKeyState.USER32(00000012), ref: 00C906EC
                • GetKeyState.USER32(00000012), ref: 00C906FA
                • GetAsyncKeyState.USER32(0000005B), ref: 00C90723
                • GetKeyState.USER32(0000005B), ref: 00C90731
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: State$Async$Keyboard
                • String ID:
                • API String ID: 541375521-0
                • Opcode ID: 9a022569e9efd38ea2326d30ba12f8412a932d603c233ef7b83a44c2d1c84d8d
                • Instruction ID: 1b0b33899969742efddb577e3bde320911beae36fe78eb83e5cfe280eae9e45d
                • Opcode Fuzzy Hash: 9a022569e9efd38ea2326d30ba12f8412a932d603c233ef7b83a44c2d1c84d8d
                • Instruction Fuzzy Hash: A851EA20A047C82DFF35DBB088597EEBFB49F01380F18459ED9D2561C2DA64AB8CDB65
                Function 00C8C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                Download Yara Rule
                APIs
                • GetDlgItem.USER32(?,00000001), ref: 00C8C746
                • GetWindowRect.USER32(00000000,?), ref: 00C8C758
                • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00C8C7B6
                • GetDlgItem.USER32(?,00000002), ref: 00C8C7C1
                • GetWindowRect.USER32(00000000,?), ref: 00C8C7D3
                • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00C8C827
                • GetDlgItem.USER32(?,000003E9), ref: 00C8C835
                • GetWindowRect.USER32(00000000,?), ref: 00C8C846
                • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00C8C889
                • GetDlgItem.USER32(?,000003EA), ref: 00C8C897
                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C8C8B4
                • InvalidateRect.USER32(?,00000000,00000001), ref: 00C8C8C1
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Window$ItemMoveRect$Invalidate
                • String ID:
                • API String ID: 3096461208-0
                • Opcode ID: 3b1e3c5ae1baf6483701a3e0d9f5fe9850ad3e6950c3be70629cfdb04fd0e4f1
                • Instruction ID: 1c746abf6d44905d470a2c2128930b1a5bcfe6f3b9fba4bb9a91a852222bf8f2
                • Opcode Fuzzy Hash: 3b1e3c5ae1baf6483701a3e0d9f5fe9850ad3e6950c3be70629cfdb04fd0e4f1
                • Instruction Fuzzy Hash: 4D514171B40205AFDB18DF68DD99BAEBBBAEB88310F14822DF915D7290D7709E01CB14
                Function 00C3201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C31B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C32036,?,00000000,?,?,?,?,00C316CB,00000000,?), ref: 00C31B9A
                • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00C320D3
                • KillTimer.USER32(-00000001,?,?,?,?,00C316CB,00000000,?,?,00C31AE2,?,?), ref: 00C3216E
                • DestroyAcceleratorTable.USER32(00000000), ref: 00C6BEF6
                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C316CB,00000000,?,?,00C31AE2,?,?), ref: 00C6BF27
                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C316CB,00000000,?,?,00C31AE2,?,?), ref: 00C6BF3E
                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C316CB,00000000,?,?,00C31AE2,?,?), ref: 00C6BF5A
                • DeleteObject.GDI32(00000000), ref: 00C6BF6C
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                • String ID:
                • API String ID: 641708696-0
                • Opcode ID: 573f2be55d4673fc08ea9cfc46afc5260e1f8cc4b0e2fc5269b3646b243e7353
                • Instruction ID: c221ee25338e1b53abc11209b303d378cc9757b09171569fa82af1d456d7728b
                • Opcode Fuzzy Hash: 573f2be55d4673fc08ea9cfc46afc5260e1f8cc4b0e2fc5269b3646b243e7353
                • Instruction Fuzzy Hash: 41616635110610EFCB39AF15DE88B2AB7F1FB40316F10852DE55296AB0C771AD86DF92
                Function 00C321A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C325DB: GetWindowLongW.USER32(?,000000EB), ref: 00C325EC
                • GetSysColor.USER32(0000000F), ref: 00C321D3
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ColorLongWindow
                • String ID:
                • API String ID: 259745315-0
                • Opcode ID: 8597351a6308bc39fb59fbb650f31d44e120e89a10e2d884e3678ad6d5ea85bd
                • Instruction ID: 9849f3f6a53ce4e74735d3c934c9a45cca266101d801b5c67320a474e3903fdf
                • Opcode Fuzzy Hash: 8597351a6308bc39fb59fbb650f31d44e120e89a10e2d884e3678ad6d5ea85bd
                • Instruction Fuzzy Hash: 52415131110240ABDF255F69DC88BBE3B65EB06331F144365FEB58A2E6C7328D42DB61
                Function 00C9AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                Download Yara Rule
                APIs
                • CharLowerBuffW.USER32(?,?,00CBF910), ref: 00C9AB76
                • GetDriveTypeW.KERNEL32(00000061,00CEA620,00000061), ref: 00C9AC40
                • _wcscpy.LIBCMT ref: 00C9AC6A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: BuffCharDriveLowerType_wcscpy
                • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                • API String ID: 2820617543-1000479233
                • Opcode ID: dd3262b33ddfc523953d601f05f129136aeefecfdfe0ea08cb64f5f7774e05d4
                • Instruction ID: 2afe1d75f3e06f6c9a71ab5e1211e48bdae89cc7827e50a73d38ee15a62594c0
                • Opcode Fuzzy Hash: dd3262b33ddfc523953d601f05f129136aeefecfdfe0ea08cb64f5f7774e05d4
                • Instruction Fuzzy Hash: DD51D1711183419FCB14EF15C885AAEB7A5FF84305F10482DF8969B2A2DB31EE49DB93
                Function 00C39997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: __i64tow__itow__swprintf
                • String ID: %.15g$0x%p$False$True
                • API String ID: 421087845-2263619337
                • Opcode ID: ea0984635bd21791c433d21392099df586170e48d8f5c42db0a5b4f3345db3b8
                • Instruction ID: c0350e4941c025a81ab1be175be9d21294c02fa631b87c17858e5e43a3b831e0
                • Opcode Fuzzy Hash: ea0984635bd21791c433d21392099df586170e48d8f5c42db0a5b4f3345db3b8
                • Instruction Fuzzy Hash: EC411771514305AFEB34EF79EC82F7A73E4EB04300F20446EE549D7281EA719942DB11
                Function 00CB73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00CB73D9
                • CreateMenu.USER32 ref: 00CB73F4
                • SetMenu.USER32(?,00000000), ref: 00CB7403
                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CB7490
                • IsMenu.USER32(?), ref: 00CB74A6
                • CreatePopupMenu.USER32 ref: 00CB74B0
                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CB74DD
                • DrawMenuBar.USER32 ref: 00CB74E5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                • String ID: 0$F
                • API String ID: 176399719-3044882817
                • Opcode ID: c54d1cd1c19073215054cee2d420d1e93eae5099f1df9d3b6fbcfb0853d8ef58
                • Instruction ID: ee28c42729900c6d0f2a313fd9d1b28ff958e28a4d55c6105832150647424b52
                • Opcode Fuzzy Hash: c54d1cd1c19073215054cee2d420d1e93eae5099f1df9d3b6fbcfb0853d8ef58
                • Instruction Fuzzy Hash: 60412675A00209EFDB20DF64D884BEABBB5FF89351F144229ED5997360D731AA14CF50
                Function 00CB772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                Download Yara Rule
                APIs
                • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00CB77CD
                • CreateCompatibleDC.GDI32(00000000), ref: 00CB77D4
                • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00CB77E7
                • SelectObject.GDI32(00000000,00000000), ref: 00CB77EF
                • GetPixel.GDI32(00000000,00000000,00000000), ref: 00CB77FA
                • DeleteDC.GDI32(00000000), ref: 00CB7803
                • GetWindowLongW.USER32(?,000000EC), ref: 00CB780D
                • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00CB7821
                • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00CB782D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                • String ID: static
                • API String ID: 2559357485-2160076837
                • Opcode ID: 601f6b089daf427c5fc0e90bebcb0049e1496d98da9eca567d85f9699d2768c2
                • Instruction ID: ae110204d9b9f10cb7e22982e27e1675a36d73dc980739850b475cf029b11a51
                • Opcode Fuzzy Hash: 601f6b089daf427c5fc0e90bebcb0049e1496d98da9eca567d85f9699d2768c2
                • Instruction Fuzzy Hash: AE313A31105215ABDF129F74DC09FDF3B69EF49321F110329FA25A61A0DB719912DBA4
                Function 00C57040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00C5707B
                  • Part of subcall function 00C58D68: __getptd_noexit.LIBCMT ref: 00C58D68
                • __gmtime64_s.LIBCMT ref: 00C57114
                • __gmtime64_s.LIBCMT ref: 00C5714A
                • __gmtime64_s.LIBCMT ref: 00C57167
                • __allrem.LIBCMT ref: 00C571BD
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C571D9
                • __allrem.LIBCMT ref: 00C571F0
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C5720E
                • __allrem.LIBCMT ref: 00C57225
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C57243
                • __invoke_watson.LIBCMT ref: 00C572B4
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                • String ID:
                • API String ID: 384356119-0
                • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                • Instruction ID: 399d665729cb4b5bdd60f6ab351d6e1425a23006539e94ed78bf7bb0a9ab5f77
                • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                • Instruction Fuzzy Hash: 2B711775A04706ABD7249F79DC81B5AB3E8AF51321F10432AFC24E76C1EB70DAC89794
                Function 00C92A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00C92A31
                • GetMenuItemInfoW.USER32(00CF6890,000000FF,00000000,00000030), ref: 00C92A92
                • SetMenuItemInfoW.USER32(00CF6890,00000004,00000000,00000030), ref: 00C92AC8
                • Sleep.KERNEL32(000001F4), ref: 00C92ADA
                • GetMenuItemCount.USER32(?), ref: 00C92B1E
                • GetMenuItemID.USER32(?,00000000), ref: 00C92B3A
                • GetMenuItemID.USER32(?,-00000001), ref: 00C92B64
                • GetMenuItemID.USER32(?,?), ref: 00C92BA9
                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C92BEF
                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C92C03
                • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C92C24
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                • String ID:
                • API String ID: 4176008265-0
                • Opcode ID: 476aeba6dff217ec3e3684c8df334e080032863067e95548d8289d9de0af2aa6
                • Instruction ID: fc128ca989896c624c809a14a34d6494c1d7b935976f2c17b28467fde28417b3
                • Opcode Fuzzy Hash: 476aeba6dff217ec3e3684c8df334e080032863067e95548d8289d9de0af2aa6
                • Instruction Fuzzy Hash: 2C617EB1900249BFEF21CF64DC8CEBE7BB8EB45344F140559E89297251D731AE46EB21
                Function 00CB7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CB7214
                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CB7217
                • GetWindowLongW.USER32(?,000000F0), ref: 00CB723B
                • _memset.LIBCMT ref: 00CB724C
                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CB725E
                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CB72D6
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSend$LongWindow_memset
                • String ID:
                • API String ID: 830647256-0
                • Opcode ID: d7e113693d274b3fe9c5ab3e9b0ea428992e46af6efdf1ce08070176a6be500c
                • Instruction ID: fb655c4973ef15728dfa65643e7f829664df3ab5282519a680c23bbb76291858
                • Opcode Fuzzy Hash: d7e113693d274b3fe9c5ab3e9b0ea428992e46af6efdf1ce08070176a6be500c
                • Instruction Fuzzy Hash: C9616A75900208AFDB10DFA8CC81EEE77F8AB49710F144259FE15A72A1D770AE45DB60
                Function 00C8710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                Download Yara Rule
                APIs
                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C87135
                • SafeArrayAllocData.OLEAUT32(?), ref: 00C8718E
                • VariantInit.OLEAUT32(?), ref: 00C871A0
                • SafeArrayAccessData.OLEAUT32(?,?), ref: 00C871C0
                • VariantCopy.OLEAUT32(?,?), ref: 00C87213
                • SafeArrayUnaccessData.OLEAUT32(?), ref: 00C87227
                • VariantClear.OLEAUT32(?), ref: 00C8723C
                • SafeArrayDestroyData.OLEAUT32(?), ref: 00C87249
                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C87252
                • VariantClear.OLEAUT32(?), ref: 00C87264
                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C8726F
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                • String ID:
                • API String ID: 2706829360-0
                • Opcode ID: eba79f5340abcf3c8f25175608b94ea6080bddd09cc2924ed863351b64fea371
                • Instruction ID: cf44f9ab5561a3060d6ad2e2f9b35a9d91fe4521d8160312a279b50c1d8082ef
                • Opcode Fuzzy Hash: eba79f5340abcf3c8f25175608b94ea6080bddd09cc2924ed863351b64fea371
                • Instruction Fuzzy Hash: 07415F35900219EFCB00EF68DC48AAEBBB8EF08354F108169F955A7361DB30E946DF94
                Function 00CA5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                Download Yara Rule
                APIs
                • WSAStartup.WSOCK32(00000101,?), ref: 00CA5AA6
                • inet_addr.WSOCK32(?,?,?), ref: 00CA5AEB
                • gethostbyname.WSOCK32(?), ref: 00CA5AF7
                • IcmpCreateFile.IPHLPAPI ref: 00CA5B05
                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00CA5B75
                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00CA5B8B
                • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00CA5C00
                • WSACleanup.WSOCK32 ref: 00CA5C06
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                • String ID: Ping
                • API String ID: 1028309954-2246546115
                • Opcode ID: 5d07b4f1ef3c87f571270472a2e9f5f5c3905e2fbcf096d96d10d0fdb640f067
                • Instruction ID: eefda412281a1e10153a5a29b9ba2e40cb7dc5654868a490f41d7f22d7db2bae
                • Opcode Fuzzy Hash: 5d07b4f1ef3c87f571270472a2e9f5f5c3905e2fbcf096d96d10d0fdb640f067
                • Instruction Fuzzy Hash: 0B51BD312047019FDB20AF24DC85B2EBBE4EF49314F048969F966DB2A1DB70ED00EB52
                Function 00C9B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 00C9B73B
                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C9B7B1
                • GetLastError.KERNEL32 ref: 00C9B7BB
                • SetErrorMode.KERNEL32(00000000,READY), ref: 00C9B828
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Error$Mode$DiskFreeLastSpace
                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                • API String ID: 4194297153-14809454
                • Opcode ID: cb51658275221a3a8d962ff3cba35bcc75bc6c206205c86925b31c112bf6fd9b
                • Instruction ID: dcfbb35c14d52c59dcebf0598ac1e506f8e5d847350498b4e9c389064bee1dc3
                • Opcode Fuzzy Hash: cb51658275221a3a8d962ff3cba35bcc75bc6c206205c86925b31c112bf6fd9b
                • Instruction Fuzzy Hash: 24318035A00209AFDB10EFA9DD89ABEB7B4EF44704F104229E41697291DB71AE42DB61
                Function 00C89471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C37F41: _memmove.LIBCMT ref: 00C37F82
                  • Part of subcall function 00C8B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C8B0E7
                • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00C894F6
                • GetDlgCtrlID.USER32 ref: 00C89501
                • GetParent.USER32 ref: 00C8951D
                • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C89520
                • GetDlgCtrlID.USER32(?), ref: 00C89529
                • GetParent.USER32(?), ref: 00C89545
                • SendMessageW.USER32(00000000,?,?,00000111), ref: 00C89548
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSend$CtrlParent$ClassName_memmove
                • String ID: ComboBox$ListBox
                • API String ID: 1536045017-1403004172
                • Opcode ID: 404a5ab5ba3e66a8f1161781d2ac1bcc7aeb38e316438c63a5213812c8b337c9
                • Instruction ID: 7c5173c9f91324949659726c1e9701723d4be8a87e42c7cee5fcaea945f3aa29
                • Opcode Fuzzy Hash: 404a5ab5ba3e66a8f1161781d2ac1bcc7aeb38e316438c63a5213812c8b337c9
                • Instruction Fuzzy Hash: C521D370900208BBCF05ABA5CC85EFEBB74FF49310F14422AF961972E2DB755919EB24
                Function 00C8955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C37F41: _memmove.LIBCMT ref: 00C37F82
                  • Part of subcall function 00C8B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C8B0E7
                • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00C895DF
                • GetDlgCtrlID.USER32 ref: 00C895EA
                • GetParent.USER32 ref: 00C89606
                • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C89609
                • GetDlgCtrlID.USER32(?), ref: 00C89612
                • GetParent.USER32(?), ref: 00C8962E
                • SendMessageW.USER32(00000000,?,?,00000111), ref: 00C89631
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSend$CtrlParent$ClassName_memmove
                • String ID: ComboBox$ListBox
                • API String ID: 1536045017-1403004172
                • Opcode ID: d512667cab3722a44237c7bd5b5e6c80aca6d3ea7f6bd282686f69e6f564d15c
                • Instruction ID: eb7a4341817dddb66fb9d34fec2f1e0cc9023ba3edb60222986f106d3d007ea6
                • Opcode Fuzzy Hash: d512667cab3722a44237c7bd5b5e6c80aca6d3ea7f6bd282686f69e6f564d15c
                • Instruction Fuzzy Hash: 3321C874900208BBDF01AB61CC85FFEBB74EF48300F14021AF921972A1DB755919EB24
                Function 00C89645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32 ref: 00C89651
                • GetClassNameW.USER32(00000000,?,00000100), ref: 00C89666
                • _wcscmp.LIBCMT ref: 00C89678
                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C896F3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ClassMessageNameParentSend_wcscmp
                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                • API String ID: 1704125052-3381328864
                • Opcode ID: fc124455a81b6b5fad64236e32504aa5bb2c75186c28f00e6bce9d9ae6548315
                • Instruction ID: dfd4604dc6ea7e103764fe755cca69f312a235759aeff6cf1e01c2c6deba229d
                • Opcode Fuzzy Hash: fc124455a81b6b5fad64236e32504aa5bb2c75186c28f00e6bce9d9ae6548315
                • Instruction Fuzzy Hash: DC11E37A248347BAEA113622DC07EBB779CDB053A5F200226FD10A50E1FEB26A515B5C
                Function 00CA8BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(?), ref: 00CA8BEC
                • CoInitialize.OLE32(00000000), ref: 00CA8C19
                • CoUninitialize.OLE32 ref: 00CA8C23
                • GetRunningObjectTable.OLE32(00000000,?), ref: 00CA8D23
                • SetErrorMode.KERNEL32(00000001,00000029), ref: 00CA8E50
                • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00CC2C0C), ref: 00CA8E84
                • CoGetObject.OLE32(?,00000000,00CC2C0C,?), ref: 00CA8EA7
                • SetErrorMode.KERNEL32(00000000), ref: 00CA8EBA
                • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CA8F3A
                • VariantClear.OLEAUT32(?), ref: 00CA8F4A
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                • String ID:
                • API String ID: 2395222682-0
                • Opcode ID: 606b739616fc5449d7b65b772acd42f01fd90ad61985f1f9c63f2c8e8b7affbe
                • Instruction ID: a49ea31ebc885fb0417aa1721df82ca82d314545161be14f166ab7c0d1ab1d72
                • Opcode Fuzzy Hash: 606b739616fc5449d7b65b772acd42f01fd90ad61985f1f9c63f2c8e8b7affbe
                • Instruction Fuzzy Hash: B3C13771604306AFD700DF64C884A2BB7E9FF8A748F00496DF59A9B251DB71ED0ACB52
                Function 00C94189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                Download Yara Rule
                APIs
                • __swprintf.LIBCMT ref: 00C9419D
                • __swprintf.LIBCMT ref: 00C941AA
                  • Part of subcall function 00C538D8: __woutput_l.LIBCMT ref: 00C53931
                • FindResourceW.KERNEL32(?,?,0000000E), ref: 00C941D4
                • LoadResource.KERNEL32(?,00000000), ref: 00C941E0
                • LockResource.KERNEL32(00000000), ref: 00C941ED
                • FindResourceW.KERNEL32(?,?,00000003), ref: 00C9420D
                • LoadResource.KERNEL32(?,00000000), ref: 00C9421F
                • SizeofResource.KERNEL32(?,00000000), ref: 00C9422E
                • LockResource.KERNEL32(?), ref: 00C9423A
                • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00C9429B
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                • String ID:
                • API String ID: 1433390588-0
                • Opcode ID: 369cbd0ce3db5c630264fc9f97ca748b8579ad7637e8927911cbe4a4910dcf1e
                • Instruction ID: ded28c804b4a9c6bf7088ae382b7bc629ac40d10e54fc22d0b29ae8554ddd0aa
                • Opcode Fuzzy Hash: 369cbd0ce3db5c630264fc9f97ca748b8579ad7637e8927911cbe4a4910dcf1e
                • Instruction Fuzzy Hash: 403189B160120AAFCF199F60DC48FBF7BA8FB08341F004629F912D2250E770DA528BA1
                Function 00C3FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                Download Yara Rule
                APIs
                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C3FC06
                • OleUninitialize.OLE32(?,00000000), ref: 00C3FCA5
                • UnregisterHotKey.USER32(?), ref: 00C3FDFC
                • DestroyWindow.USER32(?), ref: 00C74A00
                • FreeLibrary.KERNEL32(?), ref: 00C74A65
                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C74A92
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                • String ID: close all
                • API String ID: 469580280-3243417748
                • Opcode ID: 74797a8a8d8e2ca207594abd9310c3b3726848e835588882fbcd6a8f679d0365
                • Instruction ID: bf3419d7e37abf1c7fcf15f309db2ad5a73aa3d27083449f59c9ac5a0f6e500d
                • Opcode Fuzzy Hash: 74797a8a8d8e2ca207594abd9310c3b3726848e835588882fbcd6a8f679d0365
                • Instruction Fuzzy Hash: 94A16D34711212CFCB29EF15C895B69F364BF04710F1486ADE81AAB262DB30AE17EF54
                Function 00C8A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                Download Yara Rule
                APIs
                • EnumChildWindows.USER32(?,00C8AA64), ref: 00C8A9A2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ChildEnumWindows
                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                • API String ID: 3555792229-1603158881
                • Opcode ID: cea4d11584388aa27e9bbdba8069a6c0269c7294247c3f22e5ec1e3db2068632
                • Instruction ID: 7d29727bbd5ee17b9cb2293a10be0dbf0e5cfc89e32bf7799a0502b927bade4c
                • Opcode Fuzzy Hash: cea4d11584388aa27e9bbdba8069a6c0269c7294247c3f22e5ec1e3db2068632
                • Instruction Fuzzy Hash: EB91CA70904646EBEF58EF60C481BEDFB74FF04348F10811AE899A7151DF306A99EB95
                Function 00C32E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(?,000000EB), ref: 00C32EAE
                  • Part of subcall function 00C31DB3: GetClientRect.USER32(?,?), ref: 00C31DDC
                  • Part of subcall function 00C31DB3: GetWindowRect.USER32(?,?), ref: 00C31E1D
                  • Part of subcall function 00C31DB3: ScreenToClient.USER32(?,?), ref: 00C31E45
                • GetDC.USER32 ref: 00C6CF82
                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C6CF95
                • SelectObject.GDI32(00000000,00000000), ref: 00C6CFA3
                • SelectObject.GDI32(00000000,00000000), ref: 00C6CFB8
                • ReleaseDC.USER32(?,00000000), ref: 00C6CFC0
                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C6D04B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                • String ID: U
                • API String ID: 4009187628-3372436214
                • Opcode ID: 448f4f0d2176f4df622db34ffb2e40625119097b26d010c67271328e49927cca
                • Instruction ID: f15f52258b005e75da0bcc9df6774eaf0cf7555fdf9d3abf0ec6e798ff26ff57
                • Opcode Fuzzy Hash: 448f4f0d2176f4df622db34ffb2e40625119097b26d010c67271328e49927cca
                • Instruction Fuzzy Hash: 5671D230900205DFCF318F64CCC5ABA7BB6FF49351F14426AEDA65A2A6C7318D42EB61
                Function 00CBC27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C32612: GetWindowLongW.USER32(?,000000EB), ref: 00C32623
                  • Part of subcall function 00C32344: GetCursorPos.USER32(?), ref: 00C32357
                  • Part of subcall function 00C32344: ScreenToClient.USER32(00CF67B0,?), ref: 00C32374
                  • Part of subcall function 00C32344: GetAsyncKeyState.USER32(00000001), ref: 00C32399
                  • Part of subcall function 00C32344: GetAsyncKeyState.USER32(00000002), ref: 00C323A7
                • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00CBC2E4
                • ImageList_EndDrag.COMCTL32 ref: 00CBC2EA
                • ReleaseCapture.USER32 ref: 00CBC2F0
                • SetWindowTextW.USER32(?,00000000), ref: 00CBC39A
                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00CBC3AD
                • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00CBC48F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                • String ID: @GUI_DRAGFILE$@GUI_DROPID
                • API String ID: 1924731296-2107944366
                • Opcode ID: a332f24f952e343afd8133e363f0216e991ebf900c0710e96f2c6aa3b7e4820a
                • Instruction ID: 93f464ecbfe60ba382928e2913f215e218ea79556f1d05dc6614dff89f89e8e7
                • Opcode Fuzzy Hash: a332f24f952e343afd8133e363f0216e991ebf900c0710e96f2c6aa3b7e4820a
                • Instruction Fuzzy Hash: 5E516A70204304AFDB10EF24CC95BBE7BE5EB88314F00462DF9958B2E1DB71A959EB52
                Function 00CA8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                Download Yara Rule
                APIs
                • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00CBF910), ref: 00CA903D
                • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00CBF910), ref: 00CA9071
                • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00CA91EB
                • SysFreeString.OLEAUT32(?), ref: 00CA9215
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Free$FileLibraryModuleNamePathQueryStringType
                • String ID:
                • API String ID: 560350794-0
                • Opcode ID: 57681338471e2e8a7a76c22cf18b362b4c8c39d091ae1cb952ab6cd03a8698bc
                • Instruction ID: 436c475aea44695beec9d2d9f2b4d8be933b25e8a84170d920f57c1c86d0ab77
                • Opcode Fuzzy Hash: 57681338471e2e8a7a76c22cf18b362b4c8c39d091ae1cb952ab6cd03a8698bc
                • Instruction Fuzzy Hash: 9FF14F71A0010AEFDF14DF94C889EAEB7B9FF4A318F108459F516AB260DB31AE45CB50
                Function 00CAF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00CAF9C9
                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CAFB5C
                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CAFB80
                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CAFBC0
                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CAFBE2
                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CAFD5E
                • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00CAFD90
                • CloseHandle.KERNEL32(?), ref: 00CAFDBF
                • CloseHandle.KERNEL32(?), ref: 00CAFE36
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                • String ID:
                • API String ID: 4090791747-0
                • Opcode ID: 0cc72ca7f5d8f599c3189b98a2097293e21a50de5dde0dd18c8cd596b8618612
                • Instruction ID: 149d3ac73344a050f70121a9d0a897b97010a1e926d4dff2f43632fb7b954f53
                • Opcode Fuzzy Hash: 0cc72ca7f5d8f599c3189b98a2097293e21a50de5dde0dd18c8cd596b8618612
                • Instruction Fuzzy Hash: B2E1B431204341DFCB14EF64C895B6ABBE0EF85318F14856DF89A9B2A2CB70DD46DB52
                Function 00C94F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C948AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C938D3,?), ref: 00C948C7
                  • Part of subcall function 00C948AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C938D3,?), ref: 00C948E0
                  • Part of subcall function 00C94CD3: GetFileAttributesW.KERNEL32(?,00C93947), ref: 00C94CD4
                • lstrcmpiW.KERNEL32(?,?), ref: 00C94FE2
                • _wcscmp.LIBCMT ref: 00C94FFC
                • MoveFileW.KERNEL32(?,?), ref: 00C95017
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                • String ID:
                • API String ID: 793581249-0
                • Opcode ID: 05901760bc02baa61ff5b3604316f1e3669aafa259c5457c9cccae9c9beb102b
                • Instruction ID: 80039d219d757d3da21752e2a28eb9759cbcc56d352de838891fc5aa56525d35
                • Opcode Fuzzy Hash: 05901760bc02baa61ff5b3604316f1e3669aafa259c5457c9cccae9c9beb102b
                • Instruction Fuzzy Hash: 8E5164B20087859BCB25DB90DC859DFB3ECAF85341F00092EB599D3151EF74A28D976A
                Function 00CB88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                Download Yara Rule
                APIs
                • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00CB896E
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: InvalidateRect
                • String ID:
                • API String ID: 634782764-0
                • Opcode ID: 91adad7e15fb59d88e2b41e54b36452b054ab6d7c752aeb8826e4eea9b05019d
                • Instruction ID: 7759426f897bb4a6fb8ecaa49da57f45bb51607a6e370b84353809e6337c51ba
                • Opcode Fuzzy Hash: 91adad7e15fb59d88e2b41e54b36452b054ab6d7c752aeb8826e4eea9b05019d
                • Instruction Fuzzy Hash: 78516430500218BFDF209F25CC89BEE7B6DBB05360F604116F525E62E1DF71AA98EB51
                Function 00C32B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                Download Yara Rule
                APIs
                • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00C6C547
                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C6C569
                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C6C581
                • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00C6C59F
                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C6C5C0
                • DestroyIcon.USER32(00000000), ref: 00C6C5CF
                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C6C5EC
                • DestroyIcon.USER32(?), ref: 00C6C5FB
                  • Part of subcall function 00CBA71E: DeleteObject.GDI32(00000000), ref: 00CBA757
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                • String ID:
                • API String ID: 2819616528-0
                • Opcode ID: 349685970968074f6f70b4c5c076c36266e0758240109b72efb623d47cd6fa2f
                • Instruction ID: 2ceca8980cf04a4b6adf5a156f6bad0a5f76f4e8d6aabc1b67a14c201023f39a
                • Opcode Fuzzy Hash: 349685970968074f6f70b4c5c076c36266e0758240109b72efb623d47cd6fa2f
                • Instruction Fuzzy Hash: 9A516C70610209AFDF24DF25DC85FBA77B5EB58350F104528F952A72A0DB70ED91EB50
                Function 00C89B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C8AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C8AE77
                  • Part of subcall function 00C8AE57: GetCurrentThreadId.KERNEL32 ref: 00C8AE7E
                  • Part of subcall function 00C8AE57: AttachThreadInput.USER32(00000000,?,00C89B65,?,00000001), ref: 00C8AE85
                • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C89B70
                • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C89B8D
                • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00C89B90
                • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C89B99
                • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C89BB7
                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C89BBA
                • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C89BC3
                • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C89BDA
                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C89BDD
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                • String ID:
                • API String ID: 2014098862-0
                • Opcode ID: 74a48d8ed160eaa375fed8332b0401dfe0df0b803e27fbf85d82b48e43e9f624
                • Instruction ID: 25a8552bd1362c1d3d16647274a0b7ed72671204fbc8f9ad82f714a3d74040d4
                • Opcode Fuzzy Hash: 74a48d8ed160eaa375fed8332b0401dfe0df0b803e27fbf85d82b48e43e9f624
                • Instruction Fuzzy Hash: 3C11E1B1950218BFF6106B64EC89F6E7B2DEB4C755F100929F644AB1A0C9F25C11DBA4
                Function 00C88E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                Download Yara Rule
                APIs
                • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00C88A84,00000B00,?,?), ref: 00C88E0C
                • HeapAlloc.KERNEL32(00000000,?,00C88A84,00000B00,?,?), ref: 00C88E13
                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C88A84,00000B00,?,?), ref: 00C88E28
                • GetCurrentProcess.KERNEL32(?,00000000,?,00C88A84,00000B00,?,?), ref: 00C88E30
                • DuplicateHandle.KERNEL32(00000000,?,00C88A84,00000B00,?,?), ref: 00C88E33
                • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00C88A84,00000B00,?,?), ref: 00C88E43
                • GetCurrentProcess.KERNEL32(00C88A84,00000000,?,00C88A84,00000B00,?,?), ref: 00C88E4B
                • DuplicateHandle.KERNEL32(00000000,?,00C88A84,00000B00,?,?), ref: 00C88E4E
                • CreateThread.KERNEL32(00000000,00000000,00C88E74,00000000,00000000,00000000), ref: 00C88E68
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                • String ID:
                • API String ID: 1957940570-0
                • Opcode ID: 1a5e135781e1a10fb8ce0265092b96b259c7a3b09dae9e1710cfaae60eee8362
                • Instruction ID: 2b4da931d2414493e40bf1185376d457841d45834d1a74e33f03db9fd5e28b73
                • Opcode Fuzzy Hash: 1a5e135781e1a10fb8ce0265092b96b259c7a3b09dae9e1710cfaae60eee8362
                • Instruction Fuzzy Hash: 9C01A8B5240308FFE610AFA9DC49F6F3BACEB89711F404525FA05DB2A1CA7098018B20
                Function 00CA9428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Variant$ClearInit$_memset
                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                • API String ID: 2862541840-625585964
                • Opcode ID: 673224795d47d4287ba856401716d274ae879e232adeba0c76de530339b15747
                • Instruction ID: aadb621c1fbbe7b6792d64def4bb5d740d5f96c57385f79a005871fdbfc76e90
                • Opcode Fuzzy Hash: 673224795d47d4287ba856401716d274ae879e232adeba0c76de530339b15747
                • Instruction Fuzzy Hash: A5919171E0021AAFDF24DFA5C84AFAEB7B8EF46314F108159F515AB290D7709A45CFA0
                Function 00CA9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C87652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C8758C,80070057,?,?,?,00C8799D), ref: 00C8766F
                  • Part of subcall function 00C87652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C8758C,80070057,?,?), ref: 00C8768A
                  • Part of subcall function 00C87652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C8758C,80070057,?,?), ref: 00C87698
                  • Part of subcall function 00C87652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C8758C,80070057,?), ref: 00C876A8
                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00CA9B1B
                • _memset.LIBCMT ref: 00CA9B28
                • _memset.LIBCMT ref: 00CA9C6B
                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00CA9C97
                • CoTaskMemFree.OLE32(?), ref: 00CA9CA2
                Strings
                • NULL Pointer assignment, xrefs: 00CA9CF0
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                • String ID: NULL Pointer assignment
                • API String ID: 1300414916-2785691316
                • Opcode ID: d35d0cb2e604508a10295b3dc645cb171befd11062362014f572726d9a2bbf06
                • Instruction ID: f32c584ebf26ca0c47ab45270ad1d39c09f6d622f8febe5a780b8a7162095003
                • Opcode Fuzzy Hash: d35d0cb2e604508a10295b3dc645cb171befd11062362014f572726d9a2bbf06
                • Instruction Fuzzy Hash: 33915871D00229EBDF10DFA5DC85ADEBBB8EF09714F20416AF419A7281DB319A44DFA0
                Function 00CB6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CB7093
                • SendMessageW.USER32(?,00001036,00000000,?), ref: 00CB70A7
                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00CB70C1
                • _wcscat.LIBCMT ref: 00CB711C
                • SendMessageW.USER32(?,00001057,00000000,?), ref: 00CB7133
                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CB7161
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSend$Window_wcscat
                • String ID: SysListView32
                • API String ID: 307300125-78025650
                • Opcode ID: 90763a0729d051be751aa367ea867963b5f72890f2fe3884ba99aa4f368d20bb
                • Instruction ID: d955cd26687904593497a61cbfce5c4ac2bbecc85edd68a89733b7389c9420c4
                • Opcode Fuzzy Hash: 90763a0729d051be751aa367ea867963b5f72890f2fe3884ba99aa4f368d20bb
                • Instruction Fuzzy Hash: DA41B471904308AFDB219FA4DC85BEE77F8EF48350F10062AF955E7291D7719E858B60
                Function 00CAEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C93E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00C93EB6
                  • Part of subcall function 00C93E91: Process32FirstW.KERNEL32(00000000,?), ref: 00C93EC4
                  • Part of subcall function 00C93E91: CloseHandle.KERNEL32(00000000), ref: 00C93F8E
                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CAECB8
                • GetLastError.KERNEL32 ref: 00CAECCB
                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CAECFA
                • TerminateProcess.KERNEL32(00000000,00000000), ref: 00CAED77
                • GetLastError.KERNEL32(00000000), ref: 00CAED82
                • CloseHandle.KERNEL32(00000000), ref: 00CAEDB7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                • String ID: SeDebugPrivilege
                • API String ID: 2533919879-2896544425
                • Opcode ID: eed237cca91469695dd3f1b10cd17f853c5129e1831fd4101c5c32169a8b5671
                • Instruction ID: b888790afb35969126c2029fa1e54a4394237ff2a095901aca60f06bb1cd01e4
                • Opcode Fuzzy Hash: eed237cca91469695dd3f1b10cd17f853c5129e1831fd4101c5c32169a8b5671
                • Instruction Fuzzy Hash: 5741BE716002029FDB14EF28CC95F6EB7A1AF41718F08845DF8429F3D2DBB5A905EB96
                Function 00C93226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                Download Yara Rule
                APIs
                • LoadIconW.USER32(00000000,00007F03), ref: 00C932C5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: IconLoad
                • String ID: blank$info$question$stop$warning
                • API String ID: 2457776203-404129466
                • Opcode ID: 6d3bf3041c44791bf3ff319604036965b64e4e287aade78fc4c4f8fa1f6417b6
                • Instruction ID: fe94384e0d8b3c5b93998a2e640fb8b8a8554dbce663a637449d28f9607a2c45
                • Opcode Fuzzy Hash: 6d3bf3041c44791bf3ff319604036965b64e4e287aade78fc4c4f8fa1f6417b6
                • Instruction Fuzzy Hash: 68112735608BC6BEAB015B66DC47D6FB39CDF193B0F20007AF911AA2C3E7616B4045A5
                Function 00C94534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C9454E
                • LoadStringW.USER32(00000000), ref: 00C94555
                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C9456B
                • LoadStringW.USER32(00000000), ref: 00C94572
                • _wprintf.LIBCMT ref: 00C94598
                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C945B6
                Strings
                • %s (%d) : ==> %s: %s %s, xrefs: 00C94593
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: HandleLoadModuleString$Message_wprintf
                • String ID: %s (%d) : ==> %s: %s %s
                • API String ID: 3648134473-3128320259
                • Opcode ID: 37584b82ab5bbf1eb860374dc775389d2fabbbc1c7a00f73a0782ae37f739ef9
                • Instruction ID: 353ac2de9a4832fdd0570be39a4ffd9f2b2a1a6110dda08e916caecd3ff9047c
                • Opcode Fuzzy Hash: 37584b82ab5bbf1eb860374dc775389d2fabbbc1c7a00f73a0782ae37f739ef9
                • Instruction Fuzzy Hash: 49014FF6900208BFE710A7E49D8AFEA776CD708301F0005A9BB45D2152EA749E868B74
                Function 00CBD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C32612: GetWindowLongW.USER32(?,000000EB), ref: 00C32623
                • GetSystemMetrics.USER32(0000000F), ref: 00CBD78A
                • GetSystemMetrics.USER32(0000000F), ref: 00CBD7AA
                • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00CBD9E5
                • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00CBDA03
                • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00CBDA24
                • ShowWindow.USER32(00000003,00000000), ref: 00CBDA43
                • InvalidateRect.USER32(?,00000000,00000001), ref: 00CBDA68
                • DefDlgProcW.USER32(?,00000005,?,?), ref: 00CBDA8B
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                • String ID:
                • API String ID: 1211466189-0
                • Opcode ID: 488c3ad13f1a1b80da548a195b1973a908f89aace42426fcace4d74464211ea2
                • Instruction ID: cce99e7ed5797c2ba9c07eb673edb46ccf11f7c1e89c158666f354ef5cdc3437
                • Opcode Fuzzy Hash: 488c3ad13f1a1b80da548a195b1973a908f89aace42426fcace4d74464211ea2
                • Instruction Fuzzy Hash: E6B18971A00225EBDF14CF69C9C57FD7BB1BF04701F088169EC5A9B295EB34AA50DB90
                Function 00C32A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                Download Yara Rule
                APIs
                • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C6C417,00000004,00000000,00000000,00000000), ref: 00C32ACF
                • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00C6C417,00000004,00000000,00000000,00000000,000000FF), ref: 00C32B17
                • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00C6C417,00000004,00000000,00000000,00000000), ref: 00C6C46A
                • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C6C417,00000004,00000000,00000000,00000000), ref: 00C6C4D6
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ShowWindow
                • String ID:
                • API String ID: 1268545403-0
                • Opcode ID: 83a101680b9a451a7a672771924a4b85fe304f409a77da1cd43d16ba970936e7
                • Instruction ID: cd8b363fb5cabd1567404afc98635ee0ab5e2d471501078232c96f2fee32a8cc
                • Opcode Fuzzy Hash: 83a101680b9a451a7a672771924a4b85fe304f409a77da1cd43d16ba970936e7
                • Instruction Fuzzy Hash: 0C412B312287809BCF358B29CCDC77B7BE2AF55300F14881DF0A786660CA75AA42F711
                Function 00C97368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                Download Yara Rule
                APIs
                • InterlockedExchange.KERNEL32(?,000001F5), ref: 00C9737F
                  • Part of subcall function 00C50FF6: std::exception::exception.LIBCMT ref: 00C5102C
                  • Part of subcall function 00C50FF6: __CxxThrowException@8.LIBCMT ref: 00C51041
                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00C973B6
                • EnterCriticalSection.KERNEL32(?), ref: 00C973D2
                • _memmove.LIBCMT ref: 00C97420
                • _memmove.LIBCMT ref: 00C9743D
                • LeaveCriticalSection.KERNEL32(?), ref: 00C9744C
                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00C97461
                • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C97480
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                • String ID:
                • API String ID: 256516436-0
                • Opcode ID: 6372dcbb48f45af0436478df655673afaf8388ca97c98ad4fec71014721756d1
                • Instruction ID: 705964b035ade39f1af07978b9d1d72064f8163f0795bbafa8bbc06b5f0231b9
                • Opcode Fuzzy Hash: 6372dcbb48f45af0436478df655673afaf8388ca97c98ad4fec71014721756d1
                • Instruction Fuzzy Hash: 01318C35904205EBCF10DFA8DC89BAE7B78EF44710F1442A9FD04AA246DB309A55DBA4
                Function 00CB6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                Download Yara Rule
                APIs
                • DeleteObject.GDI32(00000000), ref: 00CB645A
                • GetDC.USER32(00000000), ref: 00CB6462
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CB646D
                • ReleaseDC.USER32(00000000,00000000), ref: 00CB6479
                • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00CB64B5
                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CB64C6
                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CB9299,?,?,000000FF,00000000,?,000000FF,?), ref: 00CB6500
                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CB6520
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                • String ID:
                • API String ID: 3864802216-0
                • Opcode ID: ce75222dfa4ca4ead7037229efbfc9aa3f6baec04e4f28d6c021a2216f7bc63b
                • Instruction ID: 01f7b9498bbe7eea6ba101f5f52c3cc94878e43b9a44de794da601f89d9e6b48
                • Opcode Fuzzy Hash: ce75222dfa4ca4ead7037229efbfc9aa3f6baec04e4f28d6c021a2216f7bc63b
                • Instruction Fuzzy Hash: 36319F72200214BFEB208F10DC4AFEA3FADEF09761F040169FE089A2A1C6759D52CB70
                Function 00C8C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _memcmp
                • String ID:
                • API String ID: 2931989736-0
                • Opcode ID: 573dd3db3d493edce49fdb4366adeacad7ead2a41a14fbb9130b9c083216eb71
                • Instruction ID: 8d852a349f492cffa90605f4cf8f8f335202de52565e82f57e1512e68a08235e
                • Opcode Fuzzy Hash: 573dd3db3d493edce49fdb4366adeacad7ead2a41a14fbb9130b9c083216eb71
                • Instruction Fuzzy Hash: C1218E75A00205BBE624B5219DCAFAF239CEF203DDF084025FD0596282EB71EE1593BD
                Function 00C9ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C39997: __itow.LIBCMT ref: 00C399C2
                  • Part of subcall function 00C39997: __swprintf.LIBCMT ref: 00C39A0C
                  • Part of subcall function 00C4FEC6: _wcscpy.LIBCMT ref: 00C4FEE9
                • _wcstok.LIBCMT ref: 00C9EEFF
                • _wcscpy.LIBCMT ref: 00C9EF8E
                • _memset.LIBCMT ref: 00C9EFC1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                • String ID: X
                • API String ID: 774024439-3081909835
                • Opcode ID: 04f5bedee70bcb2f97ff8d95efb326c67dbde9b3e391e7b58acbbd0cc4ebb5d8
                • Instruction ID: 0c96fe39551ca2e8bf1fcc4cce680e80f26163df97b97b7f33e9212fb614fa36
                • Opcode Fuzzy Hash: 04f5bedee70bcb2f97ff8d95efb326c67dbde9b3e391e7b58acbbd0cc4ebb5d8
                • Instruction Fuzzy Hash: 92C180755183409FCB24EF24C885AAEB7E4FF85314F04492DF89A972A2DB70ED45DB82
                Function 00CA6E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                Download Yara Rule
                APIs
                • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00CA6F14
                • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00CA6F35
                • WSAGetLastError.WSOCK32(00000000), ref: 00CA6F48
                • htons.WSOCK32(?,?,?,00000000,?), ref: 00CA6FFE
                • inet_ntoa.WSOCK32(?), ref: 00CA6FBB
                  • Part of subcall function 00C8AE14: _strlen.LIBCMT ref: 00C8AE1E
                  • Part of subcall function 00C8AE14: _memmove.LIBCMT ref: 00C8AE40
                • _strlen.LIBCMT ref: 00CA7058
                • _memmove.LIBCMT ref: 00CA70C1
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                • String ID:
                • API String ID: 3619996494-0
                • Opcode ID: ba9af93b23e6a50b7af4138167b7be10e76aa2dd9b93c44afba10d01306be23c
                • Instruction ID: 890839d486ecb85cbd54aa6fa5c082c9440074dda455b0dcddc94bfce29bbae3
                • Opcode Fuzzy Hash: ba9af93b23e6a50b7af4138167b7be10e76aa2dd9b93c44afba10d01306be23c
                • Instruction Fuzzy Hash: 0F81EE71108301ABD710EB24CC86F6FB3E9EF86718F144A1CF5569B2A2DB709E05DB92
                Function 00C31424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 10a1c8046309f4636bb69840d16b2b319cb8a952345ade4928f1925bb973206c
                • Instruction ID: 52575687e51bd3798e99162272c155bab29131d765211f10cd1363897527dcc8
                • Opcode Fuzzy Hash: 10a1c8046309f4636bb69840d16b2b319cb8a952345ade4928f1925bb973206c
                • Instruction Fuzzy Hash: 0C716C30910109EFDB14DF99CC89EBEBBB9FF85310F18C159F925AA251C734AA51DBA0
                Function 00CBB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                Download Yara Rule
                APIs
                • IsWindow.USER32(015B4DB8), ref: 00CBB6A5
                • IsWindowEnabled.USER32(015B4DB8), ref: 00CBB6B1
                • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00CBB795
                • SendMessageW.USER32(015B4DB8,000000B0,?,?), ref: 00CBB7CC
                • IsDlgButtonChecked.USER32(?,?), ref: 00CBB809
                • GetWindowLongW.USER32(015B4DB8,000000EC), ref: 00CBB82B
                • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00CBB843
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                • String ID:
                • API String ID: 4072528602-0
                • Opcode ID: 59351c7981183ef29cb7e10c79d723dfe0d3790907627e583e451b2af5fd6057
                • Instruction ID: f69f5555821fdea20f94ede4be9f97ddf90b3bca285cd4e9f601e3e69ca05f2d
                • Opcode Fuzzy Hash: 59351c7981183ef29cb7e10c79d723dfe0d3790907627e583e451b2af5fd6057
                • Instruction Fuzzy Hash: 1A718F74600204AFDB249F65C894FFEBBB9EF59300F144059F966A73A1CBB1AE41DB60
                Function 00CAF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00CAF75C
                • _memset.LIBCMT ref: 00CAF825
                • ShellExecuteExW.SHELL32(?), ref: 00CAF86A
                  • Part of subcall function 00C39997: __itow.LIBCMT ref: 00C399C2
                  • Part of subcall function 00C39997: __swprintf.LIBCMT ref: 00C39A0C
                  • Part of subcall function 00C4FEC6: _wcscpy.LIBCMT ref: 00C4FEE9
                • GetProcessId.KERNEL32(00000000), ref: 00CAF8E1
                • CloseHandle.KERNEL32(00000000), ref: 00CAF910
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                • String ID: @
                • API String ID: 3522835683-2766056989
                • Opcode ID: b1f85ef51fd99f7c5669fa1dfccff656c83362b35f301e43e758b55774744dad
                • Instruction ID: d8b91cf55801c4687c1fe625eb9411f4f3fc7e338aa22633c44d28e828d1e0e0
                • Opcode Fuzzy Hash: b1f85ef51fd99f7c5669fa1dfccff656c83362b35f301e43e758b55774744dad
                • Instruction Fuzzy Hash: F5619175A006199FCB14DF94C884AAEB7F0FF49314F14846DE855AB391CB30AE41DF94
                Function 00C9145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32(?), ref: 00C9149C
                • GetKeyboardState.USER32(?), ref: 00C914B1
                • SetKeyboardState.USER32(?), ref: 00C91512
                • PostMessageW.USER32(?,00000101,00000010,?), ref: 00C91540
                • PostMessageW.USER32(?,00000101,00000011,?), ref: 00C9155F
                • PostMessageW.USER32(?,00000101,00000012,?), ref: 00C915A5
                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C915C8
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessagePost$KeyboardState$Parent
                • String ID:
                • API String ID: 87235514-0
                • Opcode ID: da930ba77a8ec57662041dde439b531364054ca1ffaf27a48eb780e684d17deb
                • Instruction ID: 69e94ca498cb584a293d841872b51e7dd2be97dbad10aa3a7a6c4dc28944f22f
                • Opcode Fuzzy Hash: da930ba77a8ec57662041dde439b531364054ca1ffaf27a48eb780e684d17deb
                • Instruction Fuzzy Hash: 8E51E1A0A046D73EFF3242248C4ABBA7EE95B46304F0D8589F9E6468D2C294EE84D750
                Function 00C91276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32(00000000), ref: 00C912B5
                • GetKeyboardState.USER32(?), ref: 00C912CA
                • SetKeyboardState.USER32(?), ref: 00C9132B
                • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C91357
                • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C91374
                • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C913B8
                • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C913D9
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessagePost$KeyboardState$Parent
                • String ID:
                • API String ID: 87235514-0
                • Opcode ID: 2feea1108127ace1b2a23b6bb17cc8a43d3a1f313f46384bba715873e0380618
                • Instruction ID: 1cf6619fa93a2e8daae12cef089c04ef99b9363a955ba2c24a452674e73d2337
                • Opcode Fuzzy Hash: 2feea1108127ace1b2a23b6bb17cc8a43d3a1f313f46384bba715873e0380618
                • Instruction Fuzzy Hash: 5451E5A05046D77DFF3287258C4AB7A7FE96B06300F0C8589E9E4468D2D394EE94E750
                Function 00C9589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _wcsncpy$LocalTime
                • String ID:
                • API String ID: 2945705084-0
                • Opcode ID: 2ea85ec2e5461fafbb0454910cbd8026d0f0b0d45f791e0b8b625898b9954ee4
                • Instruction ID: e6663436bf3d3d89ed384f9a72bb6f3c4f64d63ac07ebeb9187c739e343f57a0
                • Opcode Fuzzy Hash: 2ea85ec2e5461fafbb0454910cbd8026d0f0b0d45f791e0b8b625898b9954ee4
                • Instruction Fuzzy Hash: 9841C56AC2052876CF11EBB48C8A9DF73A89F05311F508552F918E3221EB34E799D7AD
                Function 00C938AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C948AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C938D3,?), ref: 00C948C7
                  • Part of subcall function 00C948AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C938D3,?), ref: 00C948E0
                • lstrcmpiW.KERNEL32(?,?), ref: 00C938F3
                • _wcscmp.LIBCMT ref: 00C9390F
                • MoveFileW.KERNEL32(?,?), ref: 00C93927
                • _wcscat.LIBCMT ref: 00C9396F
                • SHFileOperationW.SHELL32(?), ref: 00C939DB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                • String ID: \*.*
                • API String ID: 1377345388-1173974218
                • Opcode ID: 378a7047f82531a9f906469e01c4c6c3d45084226228409bacbf6a0c81663e20
                • Instruction ID: d9f4240d74abd523beeb8a8262e5f811fec65813ad796a78fe30a3e5eaa507af
                • Opcode Fuzzy Hash: 378a7047f82531a9f906469e01c4c6c3d45084226228409bacbf6a0c81663e20
                • Instruction Fuzzy Hash: BA41A2B25083849ECB55EF64C489ADFB7E8AF89340F04092EB499C3151EB74D789C756
                Function 00CB7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00CB7519
                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CB75C0
                • IsMenu.USER32(?), ref: 00CB75D8
                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CB7620
                • DrawMenuBar.USER32 ref: 00CB7633
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Menu$Item$DrawInfoInsert_memset
                • String ID: 0
                • API String ID: 3866635326-4108050209
                • Opcode ID: 0714ac91966c494af750dc1c5284a846110c003c41c235609097dc79aa97e588
                • Instruction ID: 962c0b20dd1a575f933efc36efea2c647e1faa0e82574dc2fa741903cc36981c
                • Opcode Fuzzy Hash: 0714ac91966c494af750dc1c5284a846110c003c41c235609097dc79aa97e588
                • Instruction Fuzzy Hash: BD412975A04609AFDB20DF58D884EEABBF8FB44350F058229FD2597290D730AE54DFA0
                Function 00CB122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                Download Yara Rule
                APIs
                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00CB125C
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CB1286
                • FreeLibrary.KERNEL32(00000000), ref: 00CB133D
                  • Part of subcall function 00CB122D: RegCloseKey.ADVAPI32(?), ref: 00CB12A3
                  • Part of subcall function 00CB122D: FreeLibrary.KERNEL32(?), ref: 00CB12F5
                  • Part of subcall function 00CB122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00CB1318
                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00CB12E0
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: EnumFreeLibrary$CloseDeleteOpen
                • String ID:
                • API String ID: 395352322-0
                • Opcode ID: 13c05e9f12023956abb464402b8d8a9df4fa105c6ea3963cd91af1609a9fd4cb
                • Instruction ID: b826b4300ef6107081eb592fe5d591814c15cf17454b76a05682a30230c8a793
                • Opcode Fuzzy Hash: 13c05e9f12023956abb464402b8d8a9df4fa105c6ea3963cd91af1609a9fd4cb
                • Instruction Fuzzy Hash: 3F312D71901119BFDB149B94EC99AFFB7BCEF08300F440169F912E2251EA749F459AA0
                Function 00CB653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CB655B
                • GetWindowLongW.USER32(015B4DB8,000000F0), ref: 00CB658E
                • GetWindowLongW.USER32(015B4DB8,000000F0), ref: 00CB65C3
                • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00CB65F5
                • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00CB661F
                • GetWindowLongW.USER32(00000000,000000F0), ref: 00CB6630
                • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00CB664A
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: LongWindow$MessageSend
                • String ID:
                • API String ID: 2178440468-0
                • Opcode ID: 83e8062756d49dc8e7d5059acd19f4b756c2de84b7c12ff4c0f765baa3b72632
                • Instruction ID: f43c259a95ef8ae4d7654346b9cb08b6692af9cf1e22879009bb6aeb2f7e2186
                • Opcode Fuzzy Hash: 83e8062756d49dc8e7d5059acd19f4b756c2de84b7c12ff4c0f765baa3b72632
                • Instruction Fuzzy Hash: C6310230604254AFDB31CF28DC85FA93BE1FB4A750F1902A8F9218B2B6CB75AD54DB51
                Function 00CA6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00CA80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00CA80CB
                • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00CA64D9
                • WSAGetLastError.WSOCK32(00000000), ref: 00CA64E8
                • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00CA6521
                • connect.WSOCK32(00000000,?,00000010), ref: 00CA652A
                • WSAGetLastError.WSOCK32 ref: 00CA6534
                • closesocket.WSOCK32(00000000), ref: 00CA655D
                • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00CA6576
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                • String ID:
                • API String ID: 910771015-0
                • Opcode ID: 75d10667c17b0b6def351666d05e9907b2d710c3483440ae367b195726010d07
                • Instruction ID: 9b730d5f7c371c907efbe1e50bfbea8cd80e7d3253a846de5cc7126f50865250
                • Opcode Fuzzy Hash: 75d10667c17b0b6def351666d05e9907b2d710c3483440ae367b195726010d07
                • Instruction Fuzzy Hash: 7C31C431600219AFDB10EF24CC85BBE7BACEB46718F044169FD59A7291CB74AD05DB61
                Function 00C8E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C8E0FA
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C8E120
                • SysAllocString.OLEAUT32(00000000), ref: 00C8E123
                • SysAllocString.OLEAUT32 ref: 00C8E144
                • SysFreeString.OLEAUT32 ref: 00C8E14D
                • StringFromGUID2.OLE32(?,?,00000028), ref: 00C8E167
                • SysAllocString.OLEAUT32(?), ref: 00C8E175
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                • String ID:
                • API String ID: 3761583154-0
                • Opcode ID: 9f6efb61d299c4ba81406d87f69fed461ef5fa833c90e697302392bc779c1cdc
                • Instruction ID: f538b685b71bb87fb439a348104f34660bdc7d3cae36bb53880481a543c1ac3f
                • Opcode Fuzzy Hash: 9f6efb61d299c4ba81406d87f69fed461ef5fa833c90e697302392bc779c1cdc
                • Instruction Fuzzy Hash: E3219835604108AFDB10AFA9DC88EAF77ECEB09764B108235F915CB2A5DA70DD41DB68
                Function 00C8FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: __wcsnicmp
                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                • API String ID: 1038674560-2734436370
                • Opcode ID: 4a253b0163707e116bc62a9c7192e0f38c3a74982b58e08927602ed77cc09705
                • Instruction ID: 937d8defa3518e6a00311498fde6cd1a201621a57003469bdc35789d753395a2
                • Opcode Fuzzy Hash: 4a253b0163707e116bc62a9c7192e0f38c3a74982b58e08927602ed77cc09705
                • Instruction Fuzzy Hash: B6212276204251A6D231B634DC12FBB7398AF51358F14443EFC9687181FB91ABC7A3AD
                Function 00CB783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C31D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C31D73
                  • Part of subcall function 00C31D35: GetStockObject.GDI32(00000011), ref: 00C31D87
                  • Part of subcall function 00C31D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C31D91
                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CB78A1
                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CB78AE
                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CB78B9
                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CB78C8
                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CB78D4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSend$CreateObjectStockWindow
                • String ID: Msctls_Progress32
                • API String ID: 1025951953-3636473452
                • Opcode ID: e30a3d357a54bc1cdd40a799a20658f419089278130c378cb228305b4b32eba6
                • Instruction ID: d277e9407ce7c85661e49f2de882d15619aa4236f675e78d4c17ca963c51f286
                • Opcode Fuzzy Hash: e30a3d357a54bc1cdd40a799a20658f419089278130c378cb228305b4b32eba6
                • Instruction Fuzzy Hash: 3211B2B2110219BFEF159F60CC85EEB7F6DEF48758F014215FA04A60A0C772AC21DBA0
                Function 00C541C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00C54292,?), ref: 00C541E3
                • GetProcAddress.KERNEL32(00000000), ref: 00C541EA
                • EncodePointer.KERNEL32(00000000), ref: 00C541F6
                • DecodePointer.KERNEL32(00000001,00C54292,?), ref: 00C54213
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                • String ID: RoInitialize$combase.dll
                • API String ID: 3489934621-340411864
                • Opcode ID: f1342bdf9ada6d41a8ebe0df04bc3ecc5a913c88b82a5280edfa8c26e6e09fd2
                • Instruction ID: e7ae09dfe1e867f86f304d2b7c3ff521d374876a94767bbf1a0508db3574b836
                • Opcode Fuzzy Hash: f1342bdf9ada6d41a8ebe0df04bc3ecc5a913c88b82a5280edfa8c26e6e09fd2
                • Instruction Fuzzy Hash: 68E0E5B4690300AAEF245BB4EC49B2E3AA4A720707F108538B822D52A0DAB544D6CB15
                Function 00C5429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00C541B8), ref: 00C542B8
                • GetProcAddress.KERNEL32(00000000), ref: 00C542BF
                • EncodePointer.KERNEL32(00000000), ref: 00C542CA
                • DecodePointer.KERNEL32(00C541B8), ref: 00C542E5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                • String ID: RoUninitialize$combase.dll
                • API String ID: 3489934621-2819208100
                • Opcode ID: 824dcb1fde6e89e5b48aae176edaf9b66327d5841a8f2876ca6e9020f9fc84cb
                • Instruction ID: 9e1599d4ed5241327f8b9beb0a64ae625eaefa075bae24f3dc847390a963a34f
                • Opcode Fuzzy Hash: 824dcb1fde6e89e5b48aae176edaf9b66327d5841a8f2876ca6e9020f9fc84cb
                • Instruction Fuzzy Hash: 3FE0B67C585311ABEB189F64EC0DFAE3AA4B724746F10852CF411E12B0CBB455D5CB1A
                Function 00C9675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _memmove$__itow__swprintf
                • String ID:
                • API String ID: 3253778849-0
                • Opcode ID: 80b5b34108944b4165bc1cf5c6d501e0a968af88b2aa23ea6038a87017b1d6f0
                • Instruction ID: a9443f687b4b1879041302622cfcd35c49e94862e0430378a08c979b0fe38950
                • Opcode Fuzzy Hash: 80b5b34108944b4165bc1cf5c6d501e0a968af88b2aa23ea6038a87017b1d6f0
                • Instruction Fuzzy Hash: 3961BA3051025AABCF11EF64CC8AFFE77A4AF44308F094519FC5A5B2D2DB70A945EB90
                Function 00CB046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C37F41: _memmove.LIBCMT ref: 00C37F82
                  • Part of subcall function 00CB10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CB0038,?,?), ref: 00CB10BC
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CB0548
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CB0588
                • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00CB05AB
                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CB05D4
                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CB0617
                • RegCloseKey.ADVAPI32(00000000), ref: 00CB0624
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                • String ID:
                • API String ID: 4046560759-0
                • Opcode ID: e2de2527965998b844ecc9190ad8d115a080ca7eb83df0fa1eddfa2dd7e5ef29
                • Instruction ID: 1895b1df3164142b16519f76a0b7babe2105c6ed955a3413b48ec621e43cba83
                • Opcode Fuzzy Hash: e2de2527965998b844ecc9190ad8d115a080ca7eb83df0fa1eddfa2dd7e5ef29
                • Instruction Fuzzy Hash: FE515B71118200AFC714EF64D885EAFBBE8FF89314F14492DF955872A1DB31EA09EB52
                Function 00CB5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                Download Yara Rule
                APIs
                • GetMenu.USER32(?), ref: 00CB5A82
                • GetMenuItemCount.USER32(00000000), ref: 00CB5AB9
                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CB5AE1
                • GetMenuItemID.USER32(?,?), ref: 00CB5B50
                • GetSubMenu.USER32(?,?), ref: 00CB5B5E
                • PostMessageW.USER32(?,00000111,?,00000000), ref: 00CB5BAF
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Menu$Item$CountMessagePostString
                • String ID:
                • API String ID: 650687236-0
                • Opcode ID: c00fc101931a20edf3a06cd67743038d3698e97ba83aa0053d561bfb7b1695e3
                • Instruction ID: 67ebd66f3c72d1a4f0e3ad2ff7c1ac4b7a39feff8ba132aa5ffa9a969a9ded6c
                • Opcode Fuzzy Hash: c00fc101931a20edf3a06cd67743038d3698e97ba83aa0053d561bfb7b1695e3
                • Instruction Fuzzy Hash: B8517C35A00615AFCF11EFA4C845BEEB7B4EF48320F104469ED16BB351CB70AE41AB94
                Function 00C8F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(?), ref: 00C8F3F7
                • VariantClear.OLEAUT32(00000013), ref: 00C8F469
                • VariantClear.OLEAUT32(00000000), ref: 00C8F4C4
                • _memmove.LIBCMT ref: 00C8F4EE
                • VariantClear.OLEAUT32(?), ref: 00C8F53B
                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C8F569
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Variant$Clear$ChangeInitType_memmove
                • String ID:
                • API String ID: 1101466143-0
                • Opcode ID: 1e53b9aba3d192eba2dc16f34d6969f62df4644d7bfa41dcb120d8cc120abc3c
                • Instruction ID: 56e50f5a18aefcec87e8d06f55e5bc99522fe5b427b2b4e20d3ef5acaf6baa70
                • Opcode Fuzzy Hash: 1e53b9aba3d192eba2dc16f34d6969f62df4644d7bfa41dcb120d8cc120abc3c
                • Instruction Fuzzy Hash: A8515BB5A00209AFCB10DF58D884AAAB7B8FF48318B15856DE959DB300D730E952CFA0
                Function 00C926F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00C92747
                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C92792
                • IsMenu.USER32(00000000), ref: 00C927B2
                • CreatePopupMenu.USER32 ref: 00C927E6
                • GetMenuItemCount.USER32(000000FF), ref: 00C92844
                • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00C92875
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                • String ID:
                • API String ID: 3311875123-0
                • Opcode ID: 8fae3ead3d7aec538de2720ae8ccd8d484a698e05e737ea0d5c2e0f6633e87e9
                • Instruction ID: a0ad14ac12c3c5e74a51eabbd2353cbeb3ca7fddf00d5446958c5584970b515c
                • Opcode Fuzzy Hash: 8fae3ead3d7aec538de2720ae8ccd8d484a698e05e737ea0d5c2e0f6633e87e9
                • Instruction Fuzzy Hash: 9051AE71A00345FBDF24CFA8D88CBAEBBF4AF44314F104669E8A1AB2D1D7709A44CB55
                Function 00C31765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C32612: GetWindowLongW.USER32(?,000000EB), ref: 00C32623
                • BeginPaint.USER32(?,?,?,?,?,?), ref: 00C3179A
                • GetWindowRect.USER32(?,?), ref: 00C317FE
                • ScreenToClient.USER32(?,?), ref: 00C3181B
                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C3182C
                • EndPaint.USER32(?,?), ref: 00C31876
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: PaintWindow$BeginClientLongRectScreenViewport
                • String ID:
                • API String ID: 1827037458-0
                • Opcode ID: be82f2b5abba20efcddf6350609ae22d3a4d49a68340967924494cddeb3fc3a8
                • Instruction ID: 4781f9bde555ba35f7f75d865de4d6d799335ed4e1a3e49afd79008f0ac09049
                • Opcode Fuzzy Hash: be82f2b5abba20efcddf6350609ae22d3a4d49a68340967924494cddeb3fc3a8
                • Instruction Fuzzy Hash: F0418D70504200AFD710DF29CC84BBA7BF8EB49764F18062DF9A4872E2C7319D46DB62
                Function 00CBB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                Download Yara Rule
                APIs
                • ShowWindow.USER32(00CF67B0,00000000,015B4DB8,?,?,00CF67B0,?,00CBB862,?,?), ref: 00CBB9CC
                • EnableWindow.USER32(00000000,00000000), ref: 00CBB9F0
                • ShowWindow.USER32(00CF67B0,00000000,015B4DB8,?,?,00CF67B0,?,00CBB862,?,?), ref: 00CBBA50
                • ShowWindow.USER32(00000000,00000004,?,00CBB862,?,?), ref: 00CBBA62
                • EnableWindow.USER32(00000000,00000001), ref: 00CBBA86
                • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00CBBAA9
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Window$Show$Enable$MessageSend
                • String ID:
                • API String ID: 642888154-0
                • Opcode ID: 787ccbb3787b42ef3ea643a08c549d682bef2bfebedecd534b2c151e6e81cb71
                • Instruction ID: 32a39503b849da234ea07b51d2b05c92396b3d94e990bc17ace56872e1f9e13a
                • Opcode Fuzzy Hash: 787ccbb3787b42ef3ea643a08c549d682bef2bfebedecd534b2c151e6e81cb71
                • Instruction Fuzzy Hash: F2414030A00241AFDB22CF14C899BD97BF0BB05311F1842B9FA589F2A2C7B1ED46DB51
                Function 00CA73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32(?,?,?,?,?,?,00CA5134,?,?,00000000,00000001), ref: 00CA73BF
                  • Part of subcall function 00CA3C94: GetWindowRect.USER32(?,?), ref: 00CA3CA7
                • GetDesktopWindow.USER32 ref: 00CA73E9
                • GetWindowRect.USER32(00000000), ref: 00CA73F0
                • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00CA7422
                  • Part of subcall function 00C954E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C9555E
                • GetCursorPos.USER32(?), ref: 00CA744E
                • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00CA74AC
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                • String ID:
                • API String ID: 4137160315-0
                • Opcode ID: ce98eda323c815a7f0125f9710c270d1edc803dbed8a095026f65f560575d4cf
                • Instruction ID: 3085e3665dddb4cc19ec9b5eb16245c5194ea09a07e8e0e05e8103537cdb60f0
                • Opcode Fuzzy Hash: ce98eda323c815a7f0125f9710c270d1edc803dbed8a095026f65f560575d4cf
                • Instruction Fuzzy Hash: B131B272508306ABD720DF54DC49F9FBBA9FF89318F004A19F59997191CA70EA09CB92
                Function 00C88D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C885F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C88608
                  • Part of subcall function 00C885F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C88612
                  • Part of subcall function 00C885F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C88621
                  • Part of subcall function 00C885F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C88628
                  • Part of subcall function 00C885F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C8863E
                • GetLengthSid.ADVAPI32(?,00000000,00C88977), ref: 00C88DAC
                • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C88DB8
                • HeapAlloc.KERNEL32(00000000), ref: 00C88DBF
                • CopySid.ADVAPI32(00000000,00000000,?), ref: 00C88DD8
                • GetProcessHeap.KERNEL32(00000000,00000000,00C88977), ref: 00C88DEC
                • HeapFree.KERNEL32(00000000), ref: 00C88DF3
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                • String ID:
                • API String ID: 3008561057-0
                • Opcode ID: 0d697eb43d7c6aa58c5a1356cf74f157af9b792de756b782639bf510c5bba59e
                • Instruction ID: ecde2f1c2145b20f43dae02fb937337d346cf1d814692c2ea7774540e2af495e
                • Opcode Fuzzy Hash: 0d697eb43d7c6aa58c5a1356cf74f157af9b792de756b782639bf510c5bba59e
                • Instruction Fuzzy Hash: 5A11EE71500606FFDB10AFA8DC08BAE7BB9EF50319F50412EE845A3251CB32AA09CB64
                Function 00C88AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C88B2A
                • OpenProcessToken.ADVAPI32(00000000), ref: 00C88B31
                • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C88B40
                • CloseHandle.KERNEL32(00000004), ref: 00C88B4B
                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C88B7A
                • DestroyEnvironmentBlock.USERENV(00000000), ref: 00C88B8E
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                • String ID:
                • API String ID: 1413079979-0
                • Opcode ID: 3c38425db233b82782c777347f957409470b776e5469058f60f71449fc52f95b
                • Instruction ID: 0e1787b00ca0bba393c1d395d57140fbf8933905efc332824f535aea79ce9e11
                • Opcode Fuzzy Hash: 3c38425db233b82782c777347f957409470b776e5469058f60f71449fc52f95b
                • Instruction Fuzzy Hash: D4116DB250020DABDF019FA8ED49FEE7BA9EF48308F044168FE04A2160C7719E65DB60
                Function 00CBC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C312F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C3134D
                  • Part of subcall function 00C312F3: SelectObject.GDI32(?,00000000), ref: 00C3135C
                  • Part of subcall function 00C312F3: BeginPath.GDI32(?), ref: 00C31373
                  • Part of subcall function 00C312F3: SelectObject.GDI32(?,00000000), ref: 00C3139C
                • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00CBC1C4
                • LineTo.GDI32(00000000,00000003,?), ref: 00CBC1D8
                • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00CBC1E6
                • LineTo.GDI32(00000000,00000000,?), ref: 00CBC1F6
                • EndPath.GDI32(00000000), ref: 00CBC206
                • StrokePath.GDI32(00000000), ref: 00CBC216
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                • String ID:
                • API String ID: 43455801-0
                • Opcode ID: bd4efeb86a651381259158f312e8088787b1478510569d5b811f2667243c57a9
                • Instruction ID: e074a6e08f16901bd19fd2f12122f84dc99dcdcb83c32bb2d92a324b3242409a
                • Opcode Fuzzy Hash: bd4efeb86a651381259158f312e8088787b1478510569d5b811f2667243c57a9
                • Instruction Fuzzy Hash: 63110C7640010CBFDF119F94DC88FEE7FADEB04394F048125B918461A1C7729E55DBA0
                Function 00C503A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                Download Yara Rule
                APIs
                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C503D3
                • MapVirtualKeyW.USER32(00000010,00000000), ref: 00C503DB
                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C503E6
                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C503F1
                • MapVirtualKeyW.USER32(00000011,00000000), ref: 00C503F9
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C50401
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Virtual
                • String ID:
                • API String ID: 4278518827-0
                • Opcode ID: fdec8235fa2d9f2d705ebc99130fc374d80f155b0219e9c0f69500947227a1ec
                • Instruction ID: bcd485d88369db44f52c087e0ad1b03d8542d872ff1290ea43f2f268d8b05931
                • Opcode Fuzzy Hash: fdec8235fa2d9f2d705ebc99130fc374d80f155b0219e9c0f69500947227a1ec
                • Instruction Fuzzy Hash: 550148B09017597DE3008F5A8C85B56FFA8FF19354F00411BA15847A41C7B5A864CBE5
                Function 00C9568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C9569B
                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C956B1
                • GetWindowThreadProcessId.USER32(?,?), ref: 00C956C0
                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C956CF
                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C956D9
                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C956E0
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                • String ID:
                • API String ID: 839392675-0
                • Opcode ID: 9ab2aefa26dafef9165a5db4440b65ee9d9d5371a5140c45468297e4a2aaf7b1
                • Instruction ID: cb3b05259fe3f260376eaa5c54ca2ecd980724f8411196ade56501e70acd2e25
                • Opcode Fuzzy Hash: 9ab2aefa26dafef9165a5db4440b65ee9d9d5371a5140c45468297e4a2aaf7b1
                • Instruction Fuzzy Hash: 74F01D32641158BBE7215BA6AC0DFEF7B7CEBCAB11F00026DFA04D1260D6A11A0287B5
                Function 00C974D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • InterlockedExchange.KERNEL32(?,?), ref: 00C974E5
                • EnterCriticalSection.KERNEL32(?,?,00C41044,?,?), ref: 00C974F6
                • TerminateThread.KERNEL32(00000000,000001F6,?,00C41044,?,?), ref: 00C97503
                • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00C41044,?,?), ref: 00C97510
                  • Part of subcall function 00C96ED7: CloseHandle.KERNEL32(00000000,?,00C9751D,?,00C41044,?,?), ref: 00C96EE1
                • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C97523
                • LeaveCriticalSection.KERNEL32(?,?,00C41044,?,?), ref: 00C9752A
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                • String ID:
                • API String ID: 3495660284-0
                • Opcode ID: ea8e8ed13e75598e3efb39e94b3e0a8ae3c8f30cf7369e7a7e72b52cd7cbf18b
                • Instruction ID: 8e173b560655143fe4be513d3e16c6263af0de6061656e4e8b6587d8a350c93d
                • Opcode Fuzzy Hash: ea8e8ed13e75598e3efb39e94b3e0a8ae3c8f30cf7369e7a7e72b52cd7cbf18b
                • Instruction Fuzzy Hash: 53F03A3A141612EBDB121B64EC8CBEE772AAF45302F010639F202915A5CB755902CB51
                Function 00C88E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C88E7F
                • UnloadUserProfile.USERENV(?,?), ref: 00C88E8B
                • CloseHandle.KERNEL32(?), ref: 00C88E94
                • CloseHandle.KERNEL32(?), ref: 00C88E9C
                • GetProcessHeap.KERNEL32(00000000,?), ref: 00C88EA5
                • HeapFree.KERNEL32(00000000), ref: 00C88EAC
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                • String ID:
                • API String ID: 146765662-0
                • Opcode ID: 03468041b6727261fc47a5247be9de7e9911e3bb17388d077a0397cfcdda8b83
                • Instruction ID: b4184c5ebd3f5b8a9828ed76220b1b1436bed3591632ef4020e1f5bfd6c090fc
                • Opcode Fuzzy Hash: 03468041b6727261fc47a5247be9de7e9911e3bb17388d077a0397cfcdda8b83
                • Instruction Fuzzy Hash: 49E0C276004001FBDA021FE5EC0CB1EBBA9FB99322B148738F21981270CB329822DB50
                Function 00CA8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(?), ref: 00CA8928
                • CharUpperBuffW.USER32(?,?), ref: 00CA8A37
                • VariantClear.OLEAUT32(?), ref: 00CA8BAF
                  • Part of subcall function 00C97804: VariantInit.OLEAUT32(00000000), ref: 00C97844
                  • Part of subcall function 00C97804: VariantCopy.OLEAUT32(00000000,?), ref: 00C9784D
                  • Part of subcall function 00C97804: VariantClear.OLEAUT32(00000000), ref: 00C97859
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Variant$ClearInit$BuffCharCopyUpper
                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                • API String ID: 4237274167-1221869570
                • Opcode ID: baec99385e0c8aa3d9a2bea6dfec8fa6dd2b43d4b30a56bc3f8a3519fe12bbb4
                • Instruction ID: 902045a89c0ee28c9742aeb15b11e1273084f5cb31fef15a9e0441fc4567d4e5
                • Opcode Fuzzy Hash: baec99385e0c8aa3d9a2bea6dfec8fa6dd2b43d4b30a56bc3f8a3519fe12bbb4
                • Instruction Fuzzy Hash: 729180756083029FC710DF24C88596BBBE4EF89318F04496EF89A8B361DB30ED49DB52
                Function 00C92F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C4FEC6: _wcscpy.LIBCMT ref: 00C4FEE9
                • _memset.LIBCMT ref: 00C93077
                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C930A6
                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C93159
                • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C93187
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ItemMenu$Info$Default_memset_wcscpy
                • String ID: 0
                • API String ID: 4152858687-4108050209
                • Opcode ID: 2728ebaf38654cc2e9b51cad06b96e82f194d287ca770dbd652a1c580f7be7d4
                • Instruction ID: 3095c1b192f02636df42436c4647b514fb1f10ee81dc4a7f3c467b075d86b377
                • Opcode Fuzzy Hash: 2728ebaf38654cc2e9b51cad06b96e82f194d287ca770dbd652a1c580f7be7d4
                • Instruction Fuzzy Hash: 38518D716083809ADB259F28D84DA6FB7E4EF85360F040A2DF8A5D21A1DB70CB489796
                Function 00C8DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                Download Yara Rule
                APIs
                • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C8DAC5
                • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C8DAFB
                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C8DB0C
                • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C8DB8E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ErrorMode$AddressCreateInstanceProc
                • String ID: DllGetClassObject
                • API String ID: 753597075-1075368562
                • Opcode ID: 7b766f2786dda68055898756515ed8a26105d9ada3199246718666cab838557a
                • Instruction ID: 66e344f0ddbbdd7be3ab6726bc1f30ca592b63a0cb6250a344f2e02267c4d36c
                • Opcode Fuzzy Hash: 7b766f2786dda68055898756515ed8a26105d9ada3199246718666cab838557a
                • Instruction Fuzzy Hash: D641D0B1600208EFDB14DF15C888BAA7BB9EF44354F1180ADED169F286D7B0DE40DBA4
                Function 00C92C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00C92CAF
                • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C92CCB
                • DeleteMenu.USER32(?,00000007,00000000), ref: 00C92D11
                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00CF6890,00000000), ref: 00C92D5A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Menu$Delete$InfoItem_memset
                • String ID: 0
                • API String ID: 1173514356-4108050209
                • Opcode ID: 2d2cafe9e0d64847eb58cd72238c1272a8cd0cca183908f55b0270af0feb2374
                • Instruction ID: 378a33af825246bfc3e2f8e55fbaf114ab99bb8d088ac84e281e905e46a11894
                • Opcode Fuzzy Hash: 2d2cafe9e0d64847eb58cd72238c1272a8cd0cca183908f55b0270af0feb2374
                • Instruction Fuzzy Hash: 0C418071205301AFDB20DF24C849B5ABBE8EF85320F14465EF9A5972D1D770EA05CBA2
                Function 00CADAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                Download Yara Rule
                APIs
                • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00CADAD9
                  • Part of subcall function 00C379AB: _memmove.LIBCMT ref: 00C379F9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: BuffCharLower_memmove
                • String ID: cdecl$none$stdcall$winapi
                • API String ID: 3425801089-567219261
                • Opcode ID: 16079f2f2afbd1293a44a265a0990490e1227255ed4363ebb4548bfa91c21f51
                • Instruction ID: 731325308adf7e7a32782864193e12372f46f13180df970b5e29565ba8a8d63c
                • Opcode Fuzzy Hash: 16079f2f2afbd1293a44a265a0990490e1227255ed4363ebb4548bfa91c21f51
                • Instruction Fuzzy Hash: 4C3170B051061AAFCF10EF54D8819EEB3B4FF06314F108629E876976D1DB71AA06DB90
                Function 00C89372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C37F41: _memmove.LIBCMT ref: 00C37F82
                  • Part of subcall function 00C8B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C8B0E7
                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C893F6
                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C89409
                • SendMessageW.USER32(?,00000189,?,00000000), ref: 00C89439
                  • Part of subcall function 00C37D2C: _memmove.LIBCMT ref: 00C37D66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSend$_memmove$ClassName
                • String ID: ComboBox$ListBox
                • API String ID: 365058703-1403004172
                • Opcode ID: ec643963df22fe24146d7a4cd77eb054d06066778c0428e20355dede5956cd24
                • Instruction ID: f53d6b5f7354c4a5b9cedb0d3e1fb0a31d6d18794cebf7f4c3094251e2048634
                • Opcode Fuzzy Hash: ec643963df22fe24146d7a4cd77eb054d06066778c0428e20355dede5956cd24
                • Instruction Fuzzy Hash: F821E1B1900108BBDB14BBB5CC869FFB778DF45364F144229F926972E1DB350E0AA724
                Function 00CA1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                Download Yara Rule
                APIs
                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CA1B40
                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CA1B66
                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CA1B96
                • InternetCloseHandle.WININET(00000000), ref: 00CA1BDD
                  • Part of subcall function 00CA2777: GetLastError.KERNEL32(?,?,00CA1B0B,00000000,00000000,00000001), ref: 00CA278C
                  • Part of subcall function 00CA2777: SetEvent.KERNEL32(?,?,00CA1B0B,00000000,00000000,00000001), ref: 00CA27A1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                • String ID:
                • API String ID: 3113390036-3916222277
                • Opcode ID: 1c24897089df33c9fb3c506960e908c92dbfe283dba7df5b886eae1abc98fb75
                • Instruction ID: b8030693079fd09bd03a8d618126a542e59cab3e151b6c2e3f118e8b98438d64
                • Opcode Fuzzy Hash: 1c24897089df33c9fb3c506960e908c92dbfe283dba7df5b886eae1abc98fb75
                • Instruction Fuzzy Hash: 4E21CFB1500209BFEB119F65EC85FBF76FCEB4A758F14416AF805E2240EA209E0597B1
                Function 00CB6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C31D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C31D73
                  • Part of subcall function 00C31D35: GetStockObject.GDI32(00000011), ref: 00C31D87
                  • Part of subcall function 00C31D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C31D91
                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CB66D0
                • LoadLibraryW.KERNEL32(?), ref: 00CB66D7
                • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CB66EC
                • DestroyWindow.USER32(?), ref: 00CB66F4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                • String ID: SysAnimate32
                • API String ID: 4146253029-1011021900
                • Opcode ID: f0df882bd8e60372542efb3d9142eaf984017a6a3bd0e9054d6e6f79f02d81ed
                • Instruction ID: d843d2123e482b9a255cf9ffc9dd5598200674434fb387017e9094f9e60fa796
                • Opcode Fuzzy Hash: f0df882bd8e60372542efb3d9142eaf984017a6a3bd0e9054d6e6f79f02d81ed
                • Instruction Fuzzy Hash: D6216A71210206AFEF104F64EC80FFB77ADEB59368F104629F961A21A0DB79DD51A760
                Function 00C9703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                Download Yara Rule
                APIs
                • GetStdHandle.KERNEL32(0000000C), ref: 00C9705E
                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C97091
                • GetStdHandle.KERNEL32(0000000C), ref: 00C970A3
                • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00C970DD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CreateHandle$FilePipe
                • String ID: nul
                • API String ID: 4209266947-2873401336
                • Opcode ID: 3b58a85b2676c3286caf9aeb594996276c0921b577d696666c1b6afd51fda94e
                • Instruction ID: 274e014819e710279e8d8be57ddd8b87cc90dd3240aeca565b32a24a83c04e16
                • Opcode Fuzzy Hash: 3b58a85b2676c3286caf9aeb594996276c0921b577d696666c1b6afd51fda94e
                • Instruction Fuzzy Hash: 90218C74615209ABDF209F29DC09B9E7BA8BF44B20F204B29FCB0D72D0E77099508B60
                Function 00C9710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                Download Yara Rule
                APIs
                • GetStdHandle.KERNEL32(000000F6), ref: 00C9712B
                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C9715D
                • GetStdHandle.KERNEL32(000000F6), ref: 00C9716E
                • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00C971A8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CreateHandle$FilePipe
                • String ID: nul
                • API String ID: 4209266947-2873401336
                • Opcode ID: 95bb40b7df1bac164878d763591013a886b5ee71b729d564df78d7e9309be8fa
                • Instruction ID: ea258f8f3d79a345956f09aa390c01779bf2ebaf77c1304672b50fa8e09f13b0
                • Opcode Fuzzy Hash: 95bb40b7df1bac164878d763591013a886b5ee71b729d564df78d7e9309be8fa
                • Instruction Fuzzy Hash: 2021B075615305ABDF209F699C08BAEB7E8AF55720F200B19FCB5D32D0E770A941CB61
                Function 00C9AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 00C9AEBF
                • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C9AF13
                • __swprintf.LIBCMT ref: 00C9AF2C
                • SetErrorMode.KERNEL32(00000000,00000001,00000000,00CBF910), ref: 00C9AF6A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ErrorMode$InformationVolume__swprintf
                • String ID: %lu
                • API String ID: 3164766367-685833217
                • Opcode ID: 18bf529141ff1fe9581be1966c773631e8f85e52f7b92c47a7572237e8ed4e40
                • Instruction ID: ab7aa869c92d49dc66b515514e75ab93b8cf13d6726bd31a0076265fb5907598
                • Opcode Fuzzy Hash: 18bf529141ff1fe9581be1966c773631e8f85e52f7b92c47a7572237e8ed4e40
                • Instruction Fuzzy Hash: 16214435A00109AFCB10DF55CD85EAE77B8EF49704F104069F909EB351DB71EA45DB61
                Function 00C8A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C37D2C: _memmove.LIBCMT ref: 00C37D66
                  • Part of subcall function 00C8A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C8A399
                  • Part of subcall function 00C8A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C8A3AC
                  • Part of subcall function 00C8A37C: GetCurrentThreadId.KERNEL32 ref: 00C8A3B3
                  • Part of subcall function 00C8A37C: AttachThreadInput.USER32(00000000), ref: 00C8A3BA
                • GetFocus.USER32 ref: 00C8A554
                  • Part of subcall function 00C8A3C5: GetParent.USER32(?), ref: 00C8A3D3
                • GetClassNameW.USER32(?,?,00000100), ref: 00C8A59D
                • EnumChildWindows.USER32(?,00C8A615), ref: 00C8A5C5
                • __swprintf.LIBCMT ref: 00C8A5DF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                • String ID: %s%d
                • API String ID: 1941087503-1110647743
                • Opcode ID: 759abeee02f18d75ee9f7bc389271c71d3ff52aeb6209e9e45477cc47ec7c8f9
                • Instruction ID: 5bfafdc3d18183975b887fcdbe1788ef7db2325dc6ecf2c761117eb189153155
                • Opcode Fuzzy Hash: 759abeee02f18d75ee9f7bc389271c71d3ff52aeb6209e9e45477cc47ec7c8f9
                • Instruction Fuzzy Hash: 7411E4B1200209BBEF117F61DC85FEE37BC9F48304F00407AFE08AA152DA7099469B39
                Function 00C92017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                Download Yara Rule
                APIs
                • CharUpperBuffW.USER32(?,?), ref: 00C92048
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: BuffCharUpper
                • String ID: APPEND$EXISTS$KEYS$REMOVE
                • API String ID: 3964851224-769500911
                • Opcode ID: c9ca1e2042ef9ced082e04de2159c433db3db74b27d2102b5585e4f2a94b2ef0
                • Instruction ID: 2af19c2d26b5929ec2489801a38add256a2eaa05257e7c04d48b4364073ad0ba
                • Opcode Fuzzy Hash: c9ca1e2042ef9ced082e04de2159c433db3db74b27d2102b5585e4f2a94b2ef0
                • Instruction Fuzzy Hash: 62116D7891010AEFCF50EFA4D9415FEB7B4FF15304F108568ECA5A7252EB326A0AEB50
                Function 00CAEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                Download Yara Rule
                APIs
                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00CAEF1B
                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00CAEF4B
                • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00CAF07E
                • CloseHandle.KERNEL32(?), ref: 00CAF0FF
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Process$CloseCountersHandleInfoMemoryOpen
                • String ID:
                • API String ID: 2364364464-0
                • Opcode ID: 79430f1b22b1a358e6f6171780a823f3e62bdb25959fc6c6ec9b4f1fc8a60857
                • Instruction ID: aa4a874a15667b108ba1cb147451e949b1a999e63b89073266c6393cf82dd732
                • Opcode Fuzzy Hash: 79430f1b22b1a358e6f6171780a823f3e62bdb25959fc6c6ec9b4f1fc8a60857
                • Instruction Fuzzy Hash: B18180716143019FD720EF28CC86B2EB7E5EF49724F04891DF599DB292DBB0AD019B92
                Function 00C5564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                • String ID:
                • API String ID: 1559183368-0
                • Opcode ID: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
                • Instruction ID: 09353f8973e2d00b9e93d0bd939fe15f3ddadd4aa01beac233f1ab5e8c6e5ee3
                • Opcode Fuzzy Hash: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
                • Instruction Fuzzy Hash: D851E938A10B45DFDB248F79C8A056E77B1AF44362F248729FC35962D0DB709ED89B48
                Function 00CB02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C37F41: _memmove.LIBCMT ref: 00C37F82
                  • Part of subcall function 00CB10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CB0038,?,?), ref: 00CB10BC
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CB0388
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CB03C7
                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CB040E
                • RegCloseKey.ADVAPI32(?,?), ref: 00CB043A
                • RegCloseKey.ADVAPI32(00000000), ref: 00CB0447
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                • String ID:
                • API String ID: 3440857362-0
                • Opcode ID: 2930d87eab812a59453c0f40da5532814be17baf96b3f424c1beba19a9ff6e1b
                • Instruction ID: 7f848db6f0ddce4d885eba7ed67fa10a817b1826928e380a07dee0d7b9e9a555
                • Opcode Fuzzy Hash: 2930d87eab812a59453c0f40da5532814be17baf96b3f424c1beba19a9ff6e1b
                • Instruction Fuzzy Hash: 5E512971218204AFD714EB64DC85FAFB7E8FF84304F54892DB596872A1DB30EA05EB52
                Function 00CADBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C39997: __itow.LIBCMT ref: 00C399C2
                  • Part of subcall function 00C39997: __swprintf.LIBCMT ref: 00C39A0C
                • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00CADC3B
                • GetProcAddress.KERNEL32(00000000,?), ref: 00CADCBE
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00CADCDA
                • GetProcAddress.KERNEL32(00000000,?), ref: 00CADD1B
                • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00CADD35
                  • Part of subcall function 00C35B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C97B20,?,?,00000000), ref: 00C35B8C
                  • Part of subcall function 00C35B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C97B20,?,?,00000000,?,?), ref: 00C35BB0
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                • String ID:
                • API String ID: 327935632-0
                • Opcode ID: 29479418f546e86b2b5182916bf90ec6b018269a9311576b3f81dc68570bd611
                • Instruction ID: a703b3d5627a69483c65fad553073593333f3a145ea927ce45e9e56b9682faaa
                • Opcode Fuzzy Hash: 29479418f546e86b2b5182916bf90ec6b018269a9311576b3f81dc68570bd611
                • Instruction Fuzzy Hash: B9512A75A00206DFCB00EF68C8849ADB7F4FF59328B148169E81AAB351DB70EE45DF91
                Function 00C9E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                Download Yara Rule
                APIs
                • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C9E88A
                • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00C9E8B3
                • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C9E8F2
                  • Part of subcall function 00C39997: __itow.LIBCMT ref: 00C399C2
                  • Part of subcall function 00C39997: __swprintf.LIBCMT ref: 00C39A0C
                • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C9E917
                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C9E91F
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                • String ID:
                • API String ID: 1389676194-0
                • Opcode ID: 1bfb8b3a75d6e0fac0b2cc527ea584c208fa3a3fb8fb56ef1328580fd415b7f6
                • Instruction ID: cb5a264da456e0f5ded88bc07296685eb21556a1b10c3b994c6bdb55f47f4033
                • Opcode Fuzzy Hash: 1bfb8b3a75d6e0fac0b2cc527ea584c208fa3a3fb8fb56ef1328580fd415b7f6
                • Instruction Fuzzy Hash: CA510835A10205EFCF05EF64C985AAEBBF5EF08310F1480A9E849AB361CB71AD51EB51
                Function 00CBA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0c08c15203fbc76fc2f60b6947e5c520cc530c854d5586507891ad5709beccf9
                • Instruction ID: a888ada18f92709fa85b9dc1ada558babfc279ba7d0d824dc1034328cd6f2c7e
                • Opcode Fuzzy Hash: 0c08c15203fbc76fc2f60b6947e5c520cc530c854d5586507891ad5709beccf9
                • Instruction Fuzzy Hash: 8C41B435900214AFD720DF28CC48FF9BBA8EB09310F154265F9A5A72F1DB70EE41DA62
                Function 00C32344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                Download Yara Rule
                APIs
                • GetCursorPos.USER32(?), ref: 00C32357
                • ScreenToClient.USER32(00CF67B0,?), ref: 00C32374
                • GetAsyncKeyState.USER32(00000001), ref: 00C32399
                • GetAsyncKeyState.USER32(00000002), ref: 00C323A7
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: AsyncState$ClientCursorScreen
                • String ID:
                • API String ID: 4210589936-0
                • Opcode ID: 49e8ee568033af24421cf6fcd44fc577ee5dcb5674e93713e532f0cccef6303c
                • Instruction ID: 9b17a46e9b1873b09b608da36ee5845d359b023f302c03d37ea47dba92d91de4
                • Opcode Fuzzy Hash: 49e8ee568033af24421cf6fcd44fc577ee5dcb5674e93713e532f0cccef6303c
                • Instruction Fuzzy Hash: 7C416135504119FBDF659F69C884BEDBBB8FB05320F20435AF879922A0C7345A54EF91
                Function 00C86920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                Download Yara Rule
                APIs
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C8695D
                • TranslateAcceleratorW.USER32(?,?,?), ref: 00C869A9
                • TranslateMessage.USER32(?), ref: 00C869D2
                • DispatchMessageW.USER32(?), ref: 00C869DC
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C869EB
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Message$PeekTranslate$AcceleratorDispatch
                • String ID:
                • API String ID: 2108273632-0
                • Opcode ID: c8a8cc747729df57d3587da90b553194831d2befe851c7cc11b056dd2019f4c0
                • Instruction ID: da554a2ebb1b3a1acb215e929f09e56b87597d662a38f253e79ea038ddd87387
                • Opcode Fuzzy Hash: c8a8cc747729df57d3587da90b553194831d2befe851c7cc11b056dd2019f4c0
                • Instruction Fuzzy Hash: A331E471900246ABDB24EF74DC44FFABBACAB01308F14416AE431D32E1E7749986E7A5
                Function 00C88F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(?,?), ref: 00C88F12
                • PostMessageW.USER32(?,00000201,00000001), ref: 00C88FBC
                • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00C88FC4
                • PostMessageW.USER32(?,00000202,00000000), ref: 00C88FD2
                • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00C88FDA
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessagePostSleep$RectWindow
                • String ID:
                • API String ID: 3382505437-0
                • Opcode ID: d83a47c230472d815d94e4e821fb070d98d119be4c491924136ed6b3b2f67e94
                • Instruction ID: 7e2f3aaa6d79061fe2c9ae36a194b9e89af4f8abc604cbd3b94596b68a0370fe
                • Opcode Fuzzy Hash: d83a47c230472d815d94e4e821fb070d98d119be4c491924136ed6b3b2f67e94
                • Instruction Fuzzy Hash: 0331C271500219EFDF14DFA8DD4CB9E7BB6EB04319F104229FA25E62D0C7B09A14DB54
                Function 00C8B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                Download Yara Rule
                APIs
                • IsWindowVisible.USER32(?), ref: 00C8B6C7
                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C8B6E4
                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C8B71C
                • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C8B742
                • _wcsstr.LIBCMT ref: 00C8B74C
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                • String ID:
                • API String ID: 3902887630-0
                • Opcode ID: 1088300c9d2d9ac3e56a9e710e1230811e172c6122ee02a7b4096afb484ab9bd
                • Instruction ID: 98151a61115cc76b0882778b2fed675b4921d2fe48e7850b0bdeb9e871d7a7fe
                • Opcode Fuzzy Hash: 1088300c9d2d9ac3e56a9e710e1230811e172c6122ee02a7b4096afb484ab9bd
                • Instruction Fuzzy Hash: 54210732204244BBEB256B399C49F7F7BA8DF89721F14402EFC05CA2A1EB61DD419364
                Function 00CBB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C32612: GetWindowLongW.USER32(?,000000EB), ref: 00C32623
                • GetWindowLongW.USER32(?,000000F0), ref: 00CBB44C
                • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00CBB471
                • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00CBB489
                • GetSystemMetrics.USER32(00000004), ref: 00CBB4B2
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00CA1184,00000000), ref: 00CBB4D0
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Window$Long$MetricsSystem
                • String ID:
                • API String ID: 2294984445-0
                • Opcode ID: d046190d25006ce068b83f530c68685a7854295e3655f21e14938d319963a7a4
                • Instruction ID: 4960848194549cd9b7ecdc79ac21dc0338fae9a9e86915914e582d80bcc8da7a
                • Opcode Fuzzy Hash: d046190d25006ce068b83f530c68685a7854295e3655f21e14938d319963a7a4
                • Instruction Fuzzy Hash: AB215C71910665AFCB209F398C04BAA3BA4FB05720F154B28F936D62E1E7709D11DF90
                Function 00C897E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C89802
                  • Part of subcall function 00C37D2C: _memmove.LIBCMT ref: 00C37D66
                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C89834
                • __itow.LIBCMT ref: 00C8984C
                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C89874
                • __itow.LIBCMT ref: 00C89885
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSend$__itow$_memmove
                • String ID:
                • API String ID: 2983881199-0
                • Opcode ID: 9d7ff6e9e64b77d7907b7ec2c4f8561673c8f87c399654f9933f6c90fcd5b277
                • Instruction ID: e952d25597fc791fd57abcbbb00deade33fe1a8a93ac254630aa17a63248a5aa
                • Opcode Fuzzy Hash: 9d7ff6e9e64b77d7907b7ec2c4f8561673c8f87c399654f9933f6c90fcd5b277
                • Instruction Fuzzy Hash: D021C571B00209BFDB20AA658C8AEFE7BA9EF4A714F080039FD04DB291D6708E45D795
                Function 00C312F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                Download Yara Rule
                APIs
                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C3134D
                • SelectObject.GDI32(?,00000000), ref: 00C3135C
                • BeginPath.GDI32(?), ref: 00C31373
                • SelectObject.GDI32(?,00000000), ref: 00C3139C
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ObjectSelect$BeginCreatePath
                • String ID:
                • API String ID: 3225163088-0
                • Opcode ID: 13f0a0240b703d8d7be5734a5cc71d9436078af110769b21cb5e55a6e2b17167
                • Instruction ID: 568fb3a673ca88b19d116af51a7b5e4c290004b4d12a9b3422ad72a511fdca98
                • Opcode Fuzzy Hash: 13f0a0240b703d8d7be5734a5cc71d9436078af110769b21cb5e55a6e2b17167
                • Instruction Fuzzy Hash: 2C210C70814308EFDB119F29EC447BD7BB9EB043A1F18822AE824965F0D7719D95DB92
                Function 00C8C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _memcmp
                • String ID:
                • API String ID: 2931989736-0
                • Opcode ID: 7a158d7005e2cfeaa5d9c5dac6d291d0cb8921f30ba00f7cd43cbf085b0d6eb8
                • Instruction ID: 7b536123bfba91cdbb8de0ba9a3f3c9ce73f5e46a2097a390dcb9afc100c8ab1
                • Opcode Fuzzy Hash: 7a158d7005e2cfeaa5d9c5dac6d291d0cb8921f30ba00f7cd43cbf085b0d6eb8
                • Instruction Fuzzy Hash: A6019EA26042167BE204B6219CCAFAF639CDB2139CB484025FD1596283EA70AE1593F8
                Function 00C94D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 00C94D5C
                • __beginthreadex.LIBCMT ref: 00C94D7A
                • MessageBoxW.USER32(?,?,?,?), ref: 00C94D8F
                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C94DA5
                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C94DAC
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                • String ID:
                • API String ID: 3824534824-0
                • Opcode ID: 7c1ea59147e10585f4240614de907eb209f6a89b65a9b0e3d861c840ce5954c2
                • Instruction ID: 97810cc29567d0eb17f1620bf038a5b066fbe99f1551ad61eaca2bf74cf38882
                • Opcode Fuzzy Hash: 7c1ea59147e10585f4240614de907eb209f6a89b65a9b0e3d861c840ce5954c2
                • Instruction Fuzzy Hash: A61104B6904209BBCB059BB8DC08FEE7FACEB45321F144369F924D33A1D6718D4587A1
                Function 00C8874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                Download Yara Rule
                APIs
                • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C88766
                • GetLastError.KERNEL32(?,00C8822A,?,?,?), ref: 00C88770
                • GetProcessHeap.KERNEL32(00000008,?,?,00C8822A,?,?,?), ref: 00C8877F
                • HeapAlloc.KERNEL32(00000000,?,00C8822A,?,?,?), ref: 00C88786
                • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C8879D
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                • String ID:
                • API String ID: 842720411-0
                • Opcode ID: 884e96a128f2ad86e24017fbf42cb736d8867c3d4f12b75ecc6b80445b56d537
                • Instruction ID: b615381df907885ed0bc9617505ec7c3857f6203978eb0ec376452a6206eab1f
                • Opcode Fuzzy Hash: 884e96a128f2ad86e24017fbf42cb736d8867c3d4f12b75ecc6b80445b56d537
                • Instruction Fuzzy Hash: 45014BB1200204EFDB205FAADC88E6F7BBCEF89395B600539F849C2260DA318D05CB60
                Function 00C954E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                Download Yara Rule
                APIs
                • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C95502
                • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C95510
                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C95518
                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C95522
                • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C9555E
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: PerformanceQuery$CounterSleep$Frequency
                • String ID:
                • API String ID: 2833360925-0
                • Opcode ID: 983f1d0e015d7bbb28fdac1c44ed41a96896a62254510c78da3244010e247503
                • Instruction ID: 76c71389b150605e2bc4dc237077bc7cc4be0c27cad15463970dda883a0154ad
                • Opcode Fuzzy Hash: 983f1d0e015d7bbb28fdac1c44ed41a96896a62254510c78da3244010e247503
                • Instruction Fuzzy Hash: E0015B71C01A19DBCF05DFE9EC8CBEDBB78BB09701F01055AE901B2251DB309A51C7A1
                Function 00C87652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                Download Yara Rule
                APIs
                • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C8758C,80070057,?,?,?,00C8799D), ref: 00C8766F
                • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C8758C,80070057,?,?), ref: 00C8768A
                • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C8758C,80070057,?,?), ref: 00C87698
                • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C8758C,80070057,?), ref: 00C876A8
                • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C8758C,80070057,?,?), ref: 00C876B4
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: From$Prog$FreeStringTasklstrcmpi
                • String ID:
                • API String ID: 3897988419-0
                • Opcode ID: c7b8ab77a78394fef6723529b6f0275c0da7b355210abd64676dcd7b4fab95af
                • Instruction ID: bf9f45b598827dc5ba92b66ea50c8df20277fe6c3771b26bbfe4178a0cf28292
                • Opcode Fuzzy Hash: c7b8ab77a78394fef6723529b6f0275c0da7b355210abd64676dcd7b4fab95af
                • Instruction Fuzzy Hash: F3018472605604BBDB10AF58DC48BAE7BADEB45755F240228FD04D2221F772DE4197A4
                Function 00C885F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                Download Yara Rule
                APIs
                • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C88608
                • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C88612
                • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C88621
                • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C88628
                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C8863E
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: HeapInformationToken$AllocErrorLastProcess
                • String ID:
                • API String ID: 44706859-0
                • Opcode ID: 9e809476af401b8ea4def61accfb8184e4433785e409c6e1897aad13ba51bdd7
                • Instruction ID: 0dbfd840075bc90316ac842c66f5adcec843f07b9a3859565b3be02ad5550165
                • Opcode Fuzzy Hash: 9e809476af401b8ea4def61accfb8184e4433785e409c6e1897aad13ba51bdd7
                • Instruction Fuzzy Hash: 3AF04F71201204BFEB102FA9EC89F6F3BACEF89758F440529F945C6260DB619D46DB60
                Function 00C88652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                Download Yara Rule
                APIs
                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C88669
                • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C88673
                • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C88682
                • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C88689
                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C8869F
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: HeapInformationToken$AllocErrorLastProcess
                • String ID:
                • API String ID: 44706859-0
                • Opcode ID: 675d94a022a6551ee91e045ea8111866d4092d647925c69b4658f81e3db20eb1
                • Instruction ID: 3fb84d00e9d3df11b823e92893ad65d6f0e00ab164323095334cadfc85b8efe3
                • Opcode Fuzzy Hash: 675d94a022a6551ee91e045ea8111866d4092d647925c69b4658f81e3db20eb1
                • Instruction Fuzzy Hash: 12F0AF70240204BFEB112FA8EC88F6F3BACEF89758F500539F945C2260DA609D06DB60
                Function 00C8C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                Download Yara Rule
                APIs
                • GetDlgItem.USER32(?,000003E9), ref: 00C8C6BA
                • GetWindowTextW.USER32(00000000,?,00000100), ref: 00C8C6D1
                • MessageBeep.USER32(00000000), ref: 00C8C6E9
                • KillTimer.USER32(?,0000040A), ref: 00C8C705
                • EndDialog.USER32(?,00000001), ref: 00C8C71F
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: BeepDialogItemKillMessageTextTimerWindow
                • String ID:
                • API String ID: 3741023627-0
                • Opcode ID: 08dc5d037fcdd147fe78c0c772de4e49f69334aaa12448b3179a7e173e1956dd
                • Instruction ID: 9ef3d43b2b7ec782d05d4e401bc0ea4a2bd02edfa2ee6b655c5715de6d411aba
                • Opcode Fuzzy Hash: 08dc5d037fcdd147fe78c0c772de4e49f69334aaa12448b3179a7e173e1956dd
                • Instruction Fuzzy Hash: 1A016270550704ABEB216B24DD8EF9A77B8FF00705F00066DF552A15E1EBF0AA558F94
                Function 00C313B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                Download Yara Rule
                APIs
                • EndPath.GDI32(?), ref: 00C313BF
                • StrokeAndFillPath.GDI32(?,?,00C6BAD8,00000000,?), ref: 00C313DB
                • SelectObject.GDI32(?,00000000), ref: 00C313EE
                • DeleteObject.GDI32 ref: 00C31401
                • StrokePath.GDI32(?), ref: 00C3141C
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Path$ObjectStroke$DeleteFillSelect
                • String ID:
                • API String ID: 2625713937-0
                • Opcode ID: 866228775a2a7d9c7f885e17853a65ea6b4979e64a3f51ede662121cc9ff45ef
                • Instruction ID: 164c036237793f84e1a42018eb31562248639b33157d5b83beddca3d76b3f14b
                • Opcode Fuzzy Hash: 866228775a2a7d9c7f885e17853a65ea6b4979e64a3f51ede662121cc9ff45ef
                • Instruction Fuzzy Hash: 53F0C931014208EFDB115F2AEC0C76C3BB4AB01366F088228E86A451F1C7328996DF61
                Function 00C9C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                Download Yara Rule
                APIs
                • CoInitialize.OLE32(00000000), ref: 00C9C69D
                • CoCreateInstance.OLE32(00CC2D6C,00000000,00000001,00CC2BDC,?), ref: 00C9C6B5
                  • Part of subcall function 00C37F41: _memmove.LIBCMT ref: 00C37F82
                • CoUninitialize.OLE32 ref: 00C9C922
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CreateInitializeInstanceUninitialize_memmove
                • String ID: .lnk
                • API String ID: 2683427295-24824748
                • Opcode ID: 07b856fd61d47396715e2acc99b1533ad86258e5f67dd1e370d55a4596861205
                • Instruction ID: 9cd340dc077bd4b0bd603c1caa6e4b0fd544d86c98a8a681d36a8f44a3b0a47e
                • Opcode Fuzzy Hash: 07b856fd61d47396715e2acc99b1533ad86258e5f67dd1e370d55a4596861205
                • Instruction Fuzzy Hash: 70A12B71118205AFD704EF54C881EABB7E8FF98704F004A6CF196971A2DBB1EA49DB52
                Function 00C42E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C50FF6: std::exception::exception.LIBCMT ref: 00C5102C
                  • Part of subcall function 00C50FF6: __CxxThrowException@8.LIBCMT ref: 00C51041
                  • Part of subcall function 00C37F41: _memmove.LIBCMT ref: 00C37F82
                  • Part of subcall function 00C37BB1: _memmove.LIBCMT ref: 00C37C0B
                • __swprintf.LIBCMT ref: 00C4302D
                Strings
                • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00C42EC6
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                • API String ID: 1943609520-557222456
                • Opcode ID: 7a670e4cb691e60097d7af24cada8f774a0ac90c21b4e568ba19ec59014b4322
                • Instruction ID: 5c9b3fc6bce028449c993db65e3afe08232afe6abb2f84f5c4735e36d0b3b5cc
                • Opcode Fuzzy Hash: 7a670e4cb691e60097d7af24cada8f774a0ac90c21b4e568ba19ec59014b4322
                • Instruction Fuzzy Hash: 2C91AA711187419FC728EF24D885D6EB7B8FF85750F004A1DF8969B2A1DA30EE48EB52
                Function 00C9BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C348AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C348A1,?,?,00C337C0,?), ref: 00C348CE
                • CoInitialize.OLE32(00000000), ref: 00C9BC26
                • CoCreateInstance.OLE32(00CC2D6C,00000000,00000001,00CC2BDC,?), ref: 00C9BC3F
                • CoUninitialize.OLE32 ref: 00C9BC5C
                  • Part of subcall function 00C39997: __itow.LIBCMT ref: 00C399C2
                  • Part of subcall function 00C39997: __swprintf.LIBCMT ref: 00C39A0C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                • String ID: .lnk
                • API String ID: 2126378814-24824748
                • Opcode ID: e3ee2fd69f9435b8523065e79afafdfbba006da35e33c47eea4dbcb37e1e7372
                • Instruction ID: df138fe38a3eeade4b4793e84dcda79d8f00c5bbd3b35c097d346c7eae53fc1a
                • Opcode Fuzzy Hash: e3ee2fd69f9435b8523065e79afafdfbba006da35e33c47eea4dbcb37e1e7372
                • Instruction Fuzzy Hash: 94A12675604301AFCB14DF14C988E6ABBE5FF89314F148998F8999B3A1CB31ED45CB91
                Function 00C5524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                Download Yara Rule
                APIs
                • __startOneArgErrorHandling.LIBCMT ref: 00C552DD
                  • Part of subcall function 00C60340: __87except.LIBCMT ref: 00C6037B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ErrorHandling__87except__start
                • String ID: pow
                • API String ID: 2905807303-2276729525
                • Opcode ID: 829947563d56eb5f5e4d9ccf56f9d5368f0efdeaa546493d0767f7a7095124d7
                • Instruction ID: 416bf6d4b6b4a99591991e736d8613c93d51d8e35769b3e4fe8ecc1d8bfed186
                • Opcode Fuzzy Hash: 829947563d56eb5f5e4d9ccf56f9d5368f0efdeaa546493d0767f7a7095124d7
                • Instruction Fuzzy Hash: AC517A25A08A0287C7356715CDA137F2B94DB00352F304D68E9A9922F5EF748EC8EB4A
                Function 00C5023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID:
                • String ID: #$+
                • API String ID: 0-2552117581
                • Opcode ID: afcde0ddbd4369627662a5a93fb19c54d01beca52bdaf7cf92cea35872ba69f2
                • Instruction ID: 473ab141f3031bf3ea0c8c66d83ec16a3b7c3abb411ca1b226f4217e0db650d2
                • Opcode Fuzzy Hash: afcde0ddbd4369627662a5a93fb19c54d01beca52bdaf7cf92cea35872ba69f2
                • Instruction Fuzzy Hash: F05133795046468FCF25AF28C888AFE7BA4EF16314F244056ECA19B2A0C7709E86C764
                Function 00C462F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _memset$_memmove
                • String ID: ERCP
                • API String ID: 2532777613-1384759551
                • Opcode ID: 6551357e4f4d6f8a1790dfbef2f52c0058fa618a20a30ad02e0e5678b98f86a6
                • Instruction ID: 2df6d78f16cfa556524d4ed3ad4481da90bd9962d3337fbafa4f136c71011bc5
                • Opcode Fuzzy Hash: 6551357e4f4d6f8a1790dfbef2f52c0058fa618a20a30ad02e0e5678b98f86a6
                • Instruction Fuzzy Hash: 5B51C0B19007099BCF24CF65C885BABBBF8FF04714F24856EE95ACB241E7709A85CB45
                Function 00C89CD7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C919CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C89778,?,?,00000034,00000800,?,00000034), ref: 00C919F6
                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C89D21
                  • Part of subcall function 00C91997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C897A7,?,?,00000800,?,00001073,00000000,?,?), ref: 00C919C1
                  • Part of subcall function 00C918EE: GetWindowThreadProcessId.USER32(?,?), ref: 00C91919
                  • Part of subcall function 00C918EE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C8973C,00000034,?,?,00001004,00000000,00000000), ref: 00C91929
                  • Part of subcall function 00C918EE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C8973C,00000034,?,?,00001004,00000000,00000000), ref: 00C9193F
                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C89D8E
                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C89DDB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                • String ID: @
                • API String ID: 4150878124-2766056989
                • Opcode ID: ba7a0b87e79cedacbd56e14ce31032e68adfb00130e8b507dac09805413261d1
                • Instruction ID: 13c57e4d799de2df74745ff117856542f4d14de6738f3a5f4144c474fd5d3db5
                • Opcode Fuzzy Hash: ba7a0b87e79cedacbd56e14ce31032e68adfb00130e8b507dac09805413261d1
                • Instruction Fuzzy Hash: E3414E76900219BFDF10EBA4CC86BEEBBB8EB09300F044095FA55B7191DA706E45DBA5
                Function 00CB7BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00CBF910,00000000,?,?,?,?), ref: 00CB7C4E
                • GetWindowLongW.USER32 ref: 00CB7C6B
                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CB7C7B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Window$Long
                • String ID: SysTreeView32
                • API String ID: 847901565-1698111956
                • Opcode ID: 7463cc329d063fb1d8ec20b49141b5d607e33ced36381466d7e57afcd89c3acb
                • Instruction ID: 18c5f9ad4f4d4a58875f24f51df2fd96567d13d5b3206fa0c3dcb1913f064cfa
                • Opcode Fuzzy Hash: 7463cc329d063fb1d8ec20b49141b5d607e33ced36381466d7e57afcd89c3acb
                • Instruction Fuzzy Hash: 59319031644209ABDF119F38CC45BEA7BA9EB49324F244729F875A22E0D731ED519B50
                Function 00CB7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00CB76D0
                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00CB76E4
                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00CB7708
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSend$Window
                • String ID: SysMonthCal32
                • API String ID: 2326795674-1439706946
                • Opcode ID: 2f0f4561882d5dd1bf58c7938317b79ce3c7f76317aad12443bb2a51358816af
                • Instruction ID: 541504572ff3f0153e6fc6722311e64d3564349b2c7a16fc822bab3d4ae4de0b
                • Opcode Fuzzy Hash: 2f0f4561882d5dd1bf58c7938317b79ce3c7f76317aad12443bb2a51358816af
                • Instruction Fuzzy Hash: 11219F32554219ABDF128FA4CC46FEA3B69EB88714F110214FE156B1D0DAB5AC519BA0
                Function 00CB6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CB6FAA
                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CB6FBA
                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CB6FDF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSend$MoveWindow
                • String ID: Listbox
                • API String ID: 3315199576-2633736733
                • Opcode ID: 3bd8d2585c4def198a8c6167d7f1c367ed86a2d39239353ae2eab734abcd33a9
                • Instruction ID: 8b7bae26609a127fdaa04e33747cfe090462c8069edcd51bcc0009c0b8bae84e
                • Opcode Fuzzy Hash: 3bd8d2585c4def198a8c6167d7f1c367ed86a2d39239353ae2eab734abcd33a9
                • Instruction Fuzzy Hash: 20218032610118BFDF118F94DC85FFB37AAEF89754F018124F9149B190CA75AC52DBA0
                Function 00CB797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CB79E1
                • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CB79F6
                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CB7A03
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: msctls_trackbar32
                • API String ID: 3850602802-1010561917
                • Opcode ID: bc80a30bb2b2dee8815fb79d12c0f90b714f4a1b464a62672ad3327bc1cb469d
                • Instruction ID: 8d2b854d993adf6283885137447bf86a4b35bebf63876b81eee4502a30ba30ea
                • Opcode Fuzzy Hash: bc80a30bb2b2dee8815fb79d12c0f90b714f4a1b464a62672ad3327bc1cb469d
                • Instruction Fuzzy Hash: CF11E332654248BAEF119F71CC05FEB77A9EFC9B64F010629FA51A6090D2729811DB60
                Function 00C34C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,?,00C34C2E), ref: 00C34CA3
                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C34CB5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: GetNativeSystemInfo$kernel32.dll
                • API String ID: 2574300362-192647395
                • Opcode ID: 1067ddfdac95c2de471d29b70d673fb5c43950a5c93650f6d77a7220446538b8
                • Instruction ID: 53f2df3d293cf3c1ac3ce81a9457bf91e01530e19354bc815a62f1148b12d35f
                • Opcode Fuzzy Hash: 1067ddfdac95c2de471d29b70d673fb5c43950a5c93650f6d77a7220446538b8
                • Instruction Fuzzy Hash: 9DD01731620723CFDB289F39EE1874A76E9AF05791F11CC3ED8A6D6250E670E881CA50
                Function 00C34D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,?,00C34CE1,?), ref: 00C34DA2
                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C34DB4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                • API String ID: 2574300362-1355242751
                • Opcode ID: a5d297a44d457a518951e7c0e512183c4d066902b30466ac72b7350c78d9d88d
                • Instruction ID: 63d04173f9a42440412b80aca0af277d930258e2796e986f28bc2d9bfae1158c
                • Opcode Fuzzy Hash: a5d297a44d457a518951e7c0e512183c4d066902b30466ac72b7350c78d9d88d
                • Instruction Fuzzy Hash: CBD0E231560712CFD7249B39DC08B8A76E8AF05355F11893ED8A6D6250E770E9818A50
                Function 00C34D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,?,00C34D2E,?,00C34F4F,?,00CF62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C34D6F
                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C34D81
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                • API String ID: 2574300362-3689287502
                • Opcode ID: 5e217963156a4c4a3f622bb1b1bb925991eb003c5f07c21e42bf3d3583d59f61
                • Instruction ID: 6dec34eae17554b06bc663e65e8a3141c500a8301ef43fff0507ad0ff44d98cc
                • Opcode Fuzzy Hash: 5e217963156a4c4a3f622bb1b1bb925991eb003c5f07c21e42bf3d3583d59f61
                • Instruction Fuzzy Hash: F1D01731520713CFD7249F39DC0875A76E8AF15352F11CE3ED4A6D6350E670E981CA50
                Function 00CB1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(advapi32.dll,?,00CB12C1), ref: 00CB1080
                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CB1092
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: RegDeleteKeyExW$advapi32.dll
                • API String ID: 2574300362-4033151799
                • Opcode ID: 4b36167cea04127699f404b6c69ad0eb059bb7f932282b1c4fa792e65726063b
                • Instruction ID: 765911600c73033980931b02c5bc8faa4f647ccb957104cbbfd8fe05363fe7a0
                • Opcode Fuzzy Hash: 4b36167cea04127699f404b6c69ad0eb059bb7f932282b1c4fa792e65726063b
                • Instruction Fuzzy Hash: F5D0EC31510752CFD7205B79D82866F76E4AF05391F158D3DA895D6250D770C8808650
                Function 00CA93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00CA9009,?,00CBF910), ref: 00CA9403
                • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00CA9415
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: GetModuleHandleExW$kernel32.dll
                • API String ID: 2574300362-199464113
                • Opcode ID: bfffaf52194bb4ca075d936b04002db75087c5f9ff89b67126a49ac9d2b25bd6
                • Instruction ID: c76a842901d4ebae605dc09a6972a485523be8ca174bd8b0965707d73bd0f11c
                • Opcode Fuzzy Hash: bfffaf52194bb4ca075d936b04002db75087c5f9ff89b67126a49ac9d2b25bd6
                • Instruction Fuzzy Hash: A4D0C730510313CFC7208F39DD0930A76E8AF0A341F20CC3EE4A2C2650E670C882CB10
                Function 00C71B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: LocalTime__swprintf
                • String ID: %.3d$WIN_XPe
                • API String ID: 2070861257-2409531811
                • Opcode ID: 31659cb9f69c6674c82ced1bfb0c5f29838eb7a6e064f865da2401a15ea42875
                • Instruction ID: 632ba1ec325d6c2282122c0589a1c99eea229e308cf5c5958cd39095be0e7b93
                • Opcode Fuzzy Hash: 31659cb9f69c6674c82ced1bfb0c5f29838eb7a6e064f865da2401a15ea42875
                • Instruction Fuzzy Hash: 91D012F5814158EBCB199A968C84DFD777CA704301F184592BD0AA2040F2349B85AB25
                Function 00C876C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f85357f31fa1e85a6b80d8507dcd8ec87ba752ebc871ec0aabdd2bc1f80fdd6d
                • Instruction ID: 8fd14495055fd8097797ce75b37c2703302b3553413317b6def839ebbca0d6d8
                • Opcode Fuzzy Hash: f85357f31fa1e85a6b80d8507dcd8ec87ba752ebc871ec0aabdd2bc1f80fdd6d
                • Instruction Fuzzy Hash: 6FC1A475A04216EFCB14DF94C888EAEB7F5FF48318B214698E815EB251E730DE81DB94
                Function 00CAE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                Download Yara Rule
                APIs
                • CharLowerBuffW.USER32(?,?), ref: 00CAE3D2
                • CharLowerBuffW.USER32(?,?), ref: 00CAE415
                  • Part of subcall function 00CADAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00CADAD9
                • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00CAE615
                • _memmove.LIBCMT ref: 00CAE628
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: BuffCharLower$AllocVirtual_memmove
                • String ID:
                • API String ID: 3659485706-0
                • Opcode ID: e137d48b386f4211f48a88bb11e7d53ba11c3eb58ff7995dde712090425b8bac
                • Instruction ID: 9cf7c0ec5eb13b37af3c63b302a15bee69566d84fd2c194d4e459e5ecd2ad097
                • Opcode Fuzzy Hash: e137d48b386f4211f48a88bb11e7d53ba11c3eb58ff7995dde712090425b8bac
                • Instruction Fuzzy Hash: AAC15A71A083029FC714DF28C48096ABBE4FF89718F14896DF8999B351D770EA46CF82
                Function 00CA83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                Download Yara Rule
                APIs
                • CoInitialize.OLE32(00000000), ref: 00CA83D8
                • CoUninitialize.OLE32 ref: 00CA83E3
                  • Part of subcall function 00C8DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C8DAC5
                • VariantInit.OLEAUT32(?), ref: 00CA83EE
                • VariantClear.OLEAUT32(?), ref: 00CA86BF
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                • String ID:
                • API String ID: 780911581-0
                • Opcode ID: 8df715b61e5c442ce6292f6eb02a9c5ed0a81dda32fa07965307551b6fb3cb2e
                • Instruction ID: 9ad39c5bd584998876c6b353662cd9cb5e259b00d76ab95326fab14ee749f0f1
                • Opcode Fuzzy Hash: 8df715b61e5c442ce6292f6eb02a9c5ed0a81dda32fa07965307551b6fb3cb2e
                • Instruction Fuzzy Hash: 75A146756147029FDB10EF28C885B2AB7E4FF89318F148548F99A9B3A1CB70ED04DB46
                Function 00C87A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                Download Yara Rule
                APIs
                • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CC2C7C,?), ref: 00C87C32
                • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CC2C7C,?), ref: 00C87C4A
                • CLSIDFromProgID.OLE32(?,?,00000000,00CBFB80,000000FF,?,00000000,00000800,00000000,?,00CC2C7C,?), ref: 00C87C6F
                • _memcmp.LIBCMT ref: 00C87C90
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: FromProg$FreeTask_memcmp
                • String ID:
                • API String ID: 314563124-0
                • Opcode ID: 862c1a910833fbf22d75ebb113df074308ba41407bb6f47f8ed50b379ff51e69
                • Instruction ID: e41af0357c9053cacac2c4ed2877cc72c510c4e9c0d57ff3d9605059713b65c5
                • Opcode Fuzzy Hash: 862c1a910833fbf22d75ebb113df074308ba41407bb6f47f8ed50b379ff51e69
                • Instruction Fuzzy Hash: 21811C71A04109EFCB04DF94C988EEEB7B9FF89315F204198F516AB250DB71AE46CB60
                Function 00C86DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Variant$AllocClearCopyInitString
                • String ID:
                • API String ID: 2808897238-0
                • Opcode ID: 8c08cb8272602e4411976b3942e1f12ddaee49c4168d5b72db9f2f3323ed7b0a
                • Instruction ID: a79dc90cd3f167fb289cc89f576c94f2c9e8e1de024337dc7e0fc8b1617ab43e
                • Opcode Fuzzy Hash: 8c08cb8272602e4411976b3942e1f12ddaee49c4168d5b72db9f2f3323ed7b0a
                • Instruction Fuzzy Hash: 0651B8346183059BDB24BF66D895B2EF3E5EF48314F30891FE656CB291EB70D840AB19
                Function 00CB9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(015BEF28,?), ref: 00CB9AD2
                • ScreenToClient.USER32(00000002,00000002), ref: 00CB9B05
                • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00CB9B72
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Window$ClientMoveRectScreen
                • String ID:
                • API String ID: 3880355969-0
                • Opcode ID: f99ce298b6b5902b29152ad1a75cae70be5f9afb5643a3f0b59c9971b3a90365
                • Instruction ID: 4850e27b42294b58e40a2dd768a179bed1db158f8dfb29cf4aec5c5407059fba
                • Opcode Fuzzy Hash: f99ce298b6b5902b29152ad1a75cae70be5f9afb5643a3f0b59c9971b3a90365
                • Instruction Fuzzy Hash: BB514034A00609EFCF20DF68D881AEE7BB5FF55360F148659F9259B2A1D730AE41DB90
                Function 00CA6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                Download Yara Rule
                APIs
                • socket.WSOCK32(00000002,00000002,00000011), ref: 00CA6CE4
                • WSAGetLastError.WSOCK32(00000000), ref: 00CA6CF4
                  • Part of subcall function 00C39997: __itow.LIBCMT ref: 00C399C2
                  • Part of subcall function 00C39997: __swprintf.LIBCMT ref: 00C39A0C
                • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00CA6D58
                • WSAGetLastError.WSOCK32(00000000), ref: 00CA6D64
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ErrorLast$__itow__swprintfsocket
                • String ID:
                • API String ID: 2214342067-0
                • Opcode ID: e70f52df1929ed66c1cdd3e28e2341345f5a7bfa356b163c48edfedd9d666063
                • Instruction ID: b929f73fe7bd043a8fd12e711d08275f8533408a054cb54a5769e3fac9b587c0
                • Opcode Fuzzy Hash: e70f52df1929ed66c1cdd3e28e2341345f5a7bfa356b163c48edfedd9d666063
                • Instruction Fuzzy Hash: C141C174750300AFEB20AF24DC86F3E77E9DB05B14F448118FA59AB2D2DBB59D00AB91
                Function 00CA672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                Download Yara Rule
                APIs
                • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00CBF910), ref: 00CA67BA
                • _strlen.LIBCMT ref: 00CA67EC
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _strlen
                • String ID:
                • API String ID: 4218353326-0
                • Opcode ID: 71cd69cc75916c050b221e7e9fac1cdf46c1d8d79287c6a7b156e1ac92258e96
                • Instruction ID: f510fccc7b5f628488b8d9d15f850a9e8d23f0c4bf03d3a3bb18ea2aa789df0c
                • Opcode Fuzzy Hash: 71cd69cc75916c050b221e7e9fac1cdf46c1d8d79287c6a7b156e1ac92258e96
                • Instruction Fuzzy Hash: ED41D535A00105ABCB14EB64DCC5FAEB3ACEF45318F188169F816972D2DB30AD45EB50
                Function 00C9BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                Download Yara Rule
                APIs
                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C9BB09
                • GetLastError.KERNEL32(?,00000000), ref: 00C9BB2F
                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C9BB54
                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C9BB80
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CreateHardLink$DeleteErrorFileLast
                • String ID:
                • API String ID: 3321077145-0
                • Opcode ID: 878317568755f75ab2e7ea77983ec4aea504db02d1ae33a9ec4b1e52537fa462
                • Instruction ID: 0f24d5efca5aec0b1ab8ed89d93f01daefb74a51ac1511caad503b71814ba3c3
                • Opcode Fuzzy Hash: 878317568755f75ab2e7ea77983ec4aea504db02d1ae33a9ec4b1e52537fa462
                • Instruction Fuzzy Hash: 08411539200610DFCF10EF19C988A5DBBE1EF89310F098498E84A9B362CB74FD01EB91
                Function 00CB8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                Download Yara Rule
                APIs
                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CB8B4D
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: InvalidateRect
                • String ID:
                • API String ID: 634782764-0
                • Opcode ID: 4d5a06fc2a4dd4b052fd5b5528f58d56712bc525912de4c31655247bd874532f
                • Instruction ID: 66a77cd14a0d53a030ac1fe93fb2dec36db7f0a9e5679df03d38b1c6ec3c03f4
                • Opcode Fuzzy Hash: 4d5a06fc2a4dd4b052fd5b5528f58d56712bc525912de4c31655247bd874532f
                • Instruction Fuzzy Hash: 7431B4B4600208BFEF249E38CC95FED3768EB05311F244616FA61D62E1DE30AE48D751
                Function 00CBADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                Download Yara Rule
                APIs
                • ClientToScreen.USER32(?,?), ref: 00CBAE1A
                • GetWindowRect.USER32(?,?), ref: 00CBAE90
                • PtInRect.USER32(?,?,00CBC304), ref: 00CBAEA0
                • MessageBeep.USER32(00000000), ref: 00CBAF11
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Rect$BeepClientMessageScreenWindow
                • String ID:
                • API String ID: 1352109105-0
                • Opcode ID: acdd9fee4f3833465baa36ee0b28ae756b25291bad45e46f2144965013f3e8ed
                • Instruction ID: d1a3a0dcd2b271a10c541bcf6d5aabac2dd155c1bb16cab0f046350389fa9c93
                • Opcode Fuzzy Hash: acdd9fee4f3833465baa36ee0b28ae756b25291bad45e46f2144965013f3e8ed
                • Instruction Fuzzy Hash: 94415970600259DFCB11CF99C884BEDBBF5FF49350F1881A9E8A49B291D730E952DB92
                Function 00C90FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00C91037
                • SetKeyboardState.USER32(00000080,?,00000001), ref: 00C91053
                • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00C910B9
                • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00C9110B
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: KeyboardState$InputMessagePostSend
                • String ID:
                • API String ID: 432972143-0
                • Opcode ID: 2473d4e8522f0b30ad7f6ff91d80492ffcd459f3e7a52639bba9603c1c0674b4
                • Instruction ID: 06477c6592bbeefc1f63ee38ebed935519660c07df53434e8ed6e63cf4255466
                • Opcode Fuzzy Hash: 2473d4e8522f0b30ad7f6ff91d80492ffcd459f3e7a52639bba9603c1c0674b4
                • Instruction Fuzzy Hash: 2B314B30E40689AEFF308B668C0F7FDBBA9AB44310F1C535AEDA1521D1C3768AC59751
                Function 00C91121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00C91176
                • SetKeyboardState.USER32(00000080,?,00008000), ref: 00C91192
                • PostMessageW.USER32(00000000,00000101,00000000), ref: 00C911F1
                • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00C91243
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: KeyboardState$InputMessagePostSend
                • String ID:
                • API String ID: 432972143-0
                • Opcode ID: c6e8446d3fafa6aaeb24c614373da73aad9a01fcacaa97eed0484fc5866a906d
                • Instruction ID: 471f17510e026c38ffdd0b845bac132a047947028e8968b3952f8358a6c7c8c9
                • Opcode Fuzzy Hash: c6e8446d3fafa6aaeb24c614373da73aad9a01fcacaa97eed0484fc5866a906d
                • Instruction Fuzzy Hash: 70312830944609AEFF319B66CC0E7FE7BAAAB49320F1C431EF9A4922D1C3348B559751
                Function 00C66415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C6644B
                • __isleadbyte_l.LIBCMT ref: 00C66479
                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C664A7
                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C664DD
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                • String ID:
                • API String ID: 3058430110-0
                • Opcode ID: 47550f80657a739645f3e566e3470a83d420e942d0cadd63565ab6f886706e32
                • Instruction ID: e7e921c354e6f5c2f313a0b27ee770870a8af8595d65fca1485355f6525192bd
                • Opcode Fuzzy Hash: 47550f80657a739645f3e566e3470a83d420e942d0cadd63565ab6f886706e32
                • Instruction Fuzzy Hash: A031EF31600256AFDB31CF75CC85BBA7BA5FF40350F158429F864971A1EB31E991DB90
                Function 00CB5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32 ref: 00CB5189
                  • Part of subcall function 00C9387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C93897
                  • Part of subcall function 00C9387D: GetCurrentThreadId.KERNEL32 ref: 00C9389E
                  • Part of subcall function 00C9387D: AttachThreadInput.USER32(00000000,?,00C952A7), ref: 00C938A5
                • GetCaretPos.USER32(?), ref: 00CB519A
                • ClientToScreen.USER32(00000000,?), ref: 00CB51D5
                • GetForegroundWindow.USER32 ref: 00CB51DB
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                • String ID:
                • API String ID: 2759813231-0
                • Opcode ID: 62bc9d93ca9d1ae80a1c13ce0c57592162ea883b570db343788ecdd343768ce8
                • Instruction ID: 1acd856b9ecc592c08c1189398379b54b82d69ae46fab1d55a1a4336579db3ef
                • Opcode Fuzzy Hash: 62bc9d93ca9d1ae80a1c13ce0c57592162ea883b570db343788ecdd343768ce8
                • Instruction Fuzzy Hash: 3B313C71910108AFDB04EFA9CC85AEFB7FDEF98304F10406AE416E7241EA759E05DBA1
                Function 00CBC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C32612: GetWindowLongW.USER32(?,000000EB), ref: 00C32623
                • GetCursorPos.USER32(?), ref: 00CBC7C2
                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C6BBFB,?,?,?,?,?), ref: 00CBC7D7
                • GetCursorPos.USER32(?), ref: 00CBC824
                • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C6BBFB,?,?,?), ref: 00CBC85E
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Cursor$LongMenuPopupProcTrackWindow
                • String ID:
                • API String ID: 2864067406-0
                • Opcode ID: 307254f9f0e980d2189d1508f5f07dd6af2bb0370d02e32fc5625e344d8e7825
                • Instruction ID: f8d7a2e7afe91855e1b518561dd8d20c66c57a968916e2bb358e11442997e36d
                • Opcode Fuzzy Hash: 307254f9f0e980d2189d1508f5f07dd6af2bb0370d02e32fc5625e344d8e7825
                • Instruction Fuzzy Hash: C7317135600018AFCB25CF59CCD8FEE7BB6EB49310F044169F9158B2A1C7369E51DBA0
                Function 00C50BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                Download Yara Rule
                APIs
                • __setmode.LIBCMT ref: 00C50BF2
                  • Part of subcall function 00C35B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C97B20,?,?,00000000), ref: 00C35B8C
                  • Part of subcall function 00C35B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C97B20,?,?,00000000,?,?), ref: 00C35BB0
                • _fprintf.LIBCMT ref: 00C50C29
                • OutputDebugStringW.KERNEL32(?), ref: 00C86331
                  • Part of subcall function 00C54CDA: _flsall.LIBCMT ref: 00C54CF3
                • __setmode.LIBCMT ref: 00C50C5E
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                • String ID:
                • API String ID: 521402451-0
                • Opcode ID: abc2e37e72dbf8321be9e975ec948839c023939e89841dd13293b50e8f6ea687
                • Instruction ID: 61a421f55b69856aa08f5245a4bd8db395ce5ee5e783d7aa2c8f00ceb29b145b
                • Opcode Fuzzy Hash: abc2e37e72dbf8321be9e975ec948839c023939e89841dd13293b50e8f6ea687
                • Instruction Fuzzy Hash: E4116A369046047BCB0877B49C43ABE7B68DF46325F14011AF504971D2DE201DC9B79A
                Function 00C88B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C88652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C88669
                  • Part of subcall function 00C88652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C88673
                  • Part of subcall function 00C88652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C88682
                  • Part of subcall function 00C88652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C88689
                  • Part of subcall function 00C88652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C8869F
                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C88BEB
                • _memcmp.LIBCMT ref: 00C88C0E
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C88C44
                • HeapFree.KERNEL32(00000000), ref: 00C88C4B
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                • String ID:
                • API String ID: 1592001646-0
                • Opcode ID: f65485a0794a0cab829860e86c18297ae6b2931fbc2a7466c7b3c5b5c6d6a121
                • Instruction ID: 7e33b78bebd4f920f10d4c0da161eb725a6c5d900606e8ec341ac1f452b3206d
                • Opcode Fuzzy Hash: f65485a0794a0cab829860e86c18297ae6b2931fbc2a7466c7b3c5b5c6d6a121
                • Instruction Fuzzy Hash: D921B071E01208EFCB00EFA4C944BEEB7B8FF44349F444059E964A7241DB30AE0ACB64
                Function 00CA1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                Download Yara Rule
                APIs
                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CA1A97
                  • Part of subcall function 00CA1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CA1B40
                  • Part of subcall function 00CA1B21: InternetCloseHandle.WININET(00000000), ref: 00CA1BDD
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Internet$CloseConnectHandleOpen
                • String ID:
                • API String ID: 1463438336-0
                • Opcode ID: a4bb519e24912dc6451bf0404e76ba95ec83d782b094c4ff43c8a2edfa66230d
                • Instruction ID: fd600657e165120e90c092dbb627356c242aa8de3df6d163d0650889d1cfb972
                • Opcode Fuzzy Hash: a4bb519e24912dc6451bf0404e76ba95ec83d782b094c4ff43c8a2edfa66230d
                • Instruction Fuzzy Hash: 5721D175200602BFDB119F64DC00FBAB7ADFF46715F18011AFE51D6650EB31D911ABA4
                Function 00C8E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C8F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00C8E1C4,?,?,?,00C8EFB7,00000000,000000EF,00000119,?,?), ref: 00C8F5BC
                  • Part of subcall function 00C8F5AD: lstrcpyW.KERNEL32(00000000,?,?,00C8E1C4,?,?,?,00C8EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00C8F5E2
                  • Part of subcall function 00C8F5AD: lstrcmpiW.KERNEL32(00000000,?,00C8E1C4,?,?,?,00C8EFB7,00000000,000000EF,00000119,?,?), ref: 00C8F613
                • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00C8EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00C8E1DD
                • lstrcpyW.KERNEL32(00000000,?,?,00C8EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00C8E203
                • lstrcmpiW.KERNEL32(00000002,cdecl,?,00C8EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00C8E237
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: lstrcmpilstrcpylstrlen
                • String ID: cdecl
                • API String ID: 4031866154-3896280584
                • Opcode ID: 343700bd998e35f4bcb2f5eccf6f405642710753f218349eaa5a9a1fd279a5a8
                • Instruction ID: 7b3cf181f230b2349081e315b19b631685a37170e49f248a57cb1c0beb1b046d
                • Opcode Fuzzy Hash: 343700bd998e35f4bcb2f5eccf6f405642710753f218349eaa5a9a1fd279a5a8
                • Instruction Fuzzy Hash: 1711BE3A200341EFCB25AF68DC45A7A77A8FF84314B40413AE816CB2A0EB719951D7A8
                Function 00C65332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00C65351
                  • Part of subcall function 00C5594C: __FF_MSGBANNER.LIBCMT ref: 00C55963
                  • Part of subcall function 00C5594C: __NMSG_WRITE.LIBCMT ref: 00C5596A
                  • Part of subcall function 00C5594C: RtlAllocateHeap.NTDLL(015A0000,00000000,00000001,00000000,?,?,?,00C51013,?), ref: 00C5598F
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: AllocateHeap_free
                • String ID:
                • API String ID: 614378929-0
                • Opcode ID: 292864c0821a510e4aa46e150d1bf1ceea67900c5471b4da80e1e8c8bdb4883c
                • Instruction ID: 163d559f63294cc420d34eaf15ffaf758563aec898d3eec928e3baf77c280a3c
                • Opcode Fuzzy Hash: 292864c0821a510e4aa46e150d1bf1ceea67900c5471b4da80e1e8c8bdb4883c
                • Instruction Fuzzy Hash: A3112736504A16AFCB302F74EC8172E37E85F00BE1F300539FC54AA2B1DE708A85A394
                Function 00C34531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00C34560
                  • Part of subcall function 00C3410D: _memset.LIBCMT ref: 00C3418D
                  • Part of subcall function 00C3410D: _wcscpy.LIBCMT ref: 00C341E1
                  • Part of subcall function 00C3410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C341F1
                • KillTimer.USER32(?,00000001,?,?), ref: 00C345B5
                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C345C4
                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C6D6CE
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                • String ID:
                • API String ID: 1378193009-0
                • Opcode ID: 14a937c28b1567b1ec12930474f88a24e203b58ac9bc385ae803631435587116
                • Instruction ID: 31726f919825259197d9e90d187814117a217519f466e7138f48765231ae63fe
                • Opcode Fuzzy Hash: 14a937c28b1567b1ec12930474f88a24e203b58ac9bc385ae803631435587116
                • Instruction Fuzzy Hash: B6219570D04784AFEB328B24DC95BEBBBEC9F11308F04049EE69E56281C7B46A85DB51
                Function 00CA667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C35B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C97B20,?,?,00000000), ref: 00C35B8C
                  • Part of subcall function 00C35B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C97B20,?,?,00000000,?,?), ref: 00C35BB0
                • gethostbyname.WSOCK32(?,?,?), ref: 00CA66AC
                • WSAGetLastError.WSOCK32(00000000), ref: 00CA66B7
                • _memmove.LIBCMT ref: 00CA66E4
                • inet_ntoa.WSOCK32(?), ref: 00CA66EF
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                • String ID:
                • API String ID: 1504782959-0
                • Opcode ID: 027442e6bb61a0a257d5383bcba8bba254ed94619740c3f2ce1038597a9f125b
                • Instruction ID: 230a06c1e8c8b6117b80795fe2d23b8a2093665aadf8926cbb80f8e31851282e
                • Opcode Fuzzy Hash: 027442e6bb61a0a257d5383bcba8bba254ed94619740c3f2ce1038597a9f125b
                • Instruction Fuzzy Hash: B5117C35510509AFCB04EBA4DD86EEEB7B8EF09314F044129F506A72A1DF30AF04EB61
                Function 00C89023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,000000B0,?,?), ref: 00C89043
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C89055
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C8906B
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C89086
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: c454c3f3428046038b8d067b77571a8713014fabc6b33d9a72c2cd70873e6b49
                • Instruction ID: 0b22d1b494594ff9913ea5524be7afb7f53312510f52ef2ce77f2724e25b3a12
                • Opcode Fuzzy Hash: c454c3f3428046038b8d067b77571a8713014fabc6b33d9a72c2cd70873e6b49
                • Instruction Fuzzy Hash: CC113A79900218BFDB10DFA5CC84EADBBB4FB48310F2040A5E904B7250D7726E10DB94
                Function 00C31290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C32612: GetWindowLongW.USER32(?,000000EB), ref: 00C32623
                • DefDlgProcW.USER32(?,00000020,?), ref: 00C312D8
                • GetClientRect.USER32(?,?), ref: 00C6B84B
                • GetCursorPos.USER32(?), ref: 00C6B855
                • ScreenToClient.USER32(?,?), ref: 00C6B860
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Client$CursorLongProcRectScreenWindow
                • String ID:
                • API String ID: 4127811313-0
                • Opcode ID: 92158d05a8f26c845d32fc30f25dca749246624ed508e20b363fd488ac13da8b
                • Instruction ID: 21968332133903c9dceff57e94cc2547d2325a4a13a1ebf860fc3865c5038cb9
                • Opcode Fuzzy Hash: 92158d05a8f26c845d32fc30f25dca749246624ed508e20b363fd488ac13da8b
                • Instruction Fuzzy Hash: C6113635A10019AFCB10EFA8D885AFF77B8EB05301F00055AF911E7251C731BA529BA5
                Function 00C91652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                Download Yara Rule
                APIs
                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C901FD,?,00C91250,?,00008000), ref: 00C9166F
                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00C901FD,?,00C91250,?,00008000), ref: 00C91694
                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C901FD,?,00C91250,?,00008000), ref: 00C9169E
                • Sleep.KERNEL32(?,?,?,?,?,?,?,00C901FD,?,00C91250,?,00008000), ref: 00C916D1
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CounterPerformanceQuerySleep
                • String ID:
                • API String ID: 2875609808-0
                • Opcode ID: 081700d715d3625bde2789f2aa2e13de301c0145383581e880e28052cbf030cb
                • Instruction ID: 5feebb7b3280d59ed68b2454ae854e0be68c6b7a5ddffc892e252575893e6893
                • Opcode Fuzzy Hash: 081700d715d3625bde2789f2aa2e13de301c0145383581e880e28052cbf030cb
                • Instruction Fuzzy Hash: 5A114835C1051AD7CF009FA6DC4ABEEBB78FF09741F094599ED40B6240CB3056A08B96
                Function 00C67207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                • String ID:
                • API String ID: 3016257755-0
                • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                • Instruction ID: 6b873814959e9da9ad1bae41ee91dcaf74711ad60bc74f45acc64c0d58c22cf2
                • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                • Instruction Fuzzy Hash: 0D01403604414AFBCF225F94CC918EE3F62BF59359B588A15FA2858031D237CAB5BB81
                Function 00CBB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(?,?), ref: 00CBB59E
                • ScreenToClient.USER32(?,?), ref: 00CBB5B6
                • ScreenToClient.USER32(?,?), ref: 00CBB5DA
                • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CBB5F5
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ClientRectScreen$InvalidateWindow
                • String ID:
                • API String ID: 357397906-0
                • Opcode ID: a8aa206e39077ec9572ae16a6b2bc2b56f0485fbae735cadc1ac8deee11cbd45
                • Instruction ID: 8b07c073b631599b74b8e9d80a5208a03a06c453873d1d0a76046f0aa636d8fe
                • Opcode Fuzzy Hash: a8aa206e39077ec9572ae16a6b2bc2b56f0485fbae735cadc1ac8deee11cbd45
                • Instruction Fuzzy Hash: CA1146B5D00209EFDB41CF99C844AEEFBB5FB18310F108166E954E3220D775AA558F51
                Function 00CBB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00CBB8FE
                • _memset.LIBCMT ref: 00CBB90D
                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00CF7F20,00CF7F64), ref: 00CBB93C
                • CloseHandle.KERNEL32 ref: 00CBB94E
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _memset$CloseCreateHandleProcess
                • String ID:
                • API String ID: 3277943733-0
                • Opcode ID: 93bdc50f608f6d7ca4f9622d012e7bcb79b936494f6c16ab0a83a7b53c853754
                • Instruction ID: 87ad0337ceb08f929262d9c665e379bb9a3af098fa67362f96e6f8674a145573
                • Opcode Fuzzy Hash: 93bdc50f608f6d7ca4f9622d012e7bcb79b936494f6c16ab0a83a7b53c853754
                • Instruction Fuzzy Hash: 1DF082F25443047BF6102BA1AC06FBF3A9CEB08394F000121FB08D52A2D7714D11C7AE
                Function 00C96E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(?), ref: 00C96E88
                  • Part of subcall function 00C9794E: _memset.LIBCMT ref: 00C97983
                • _memmove.LIBCMT ref: 00C96EAB
                • _memset.LIBCMT ref: 00C96EB8
                • LeaveCriticalSection.KERNEL32(?), ref: 00C96EC8
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CriticalSection_memset$EnterLeave_memmove
                • String ID:
                • API String ID: 48991266-0
                • Opcode ID: 0629910ea4eae26c5f4d373f35034d786dade50f8a6fea1389c9119a5f18ffba
                • Instruction ID: a5306ec5cfcb1e9322c0b61cd91eb259b8a1b6d3e04f4d08c8eaeaed0a44b120
                • Opcode Fuzzy Hash: 0629910ea4eae26c5f4d373f35034d786dade50f8a6fea1389c9119a5f18ffba
                • Instruction Fuzzy Hash: 75F0543A200210BBCF016F55DC85B4ABB29EF45361F048165FE085F257C731A955DBB5
                Function 00CBC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C312F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C3134D
                  • Part of subcall function 00C312F3: SelectObject.GDI32(?,00000000), ref: 00C3135C
                  • Part of subcall function 00C312F3: BeginPath.GDI32(?), ref: 00C31373
                  • Part of subcall function 00C312F3: SelectObject.GDI32(?,00000000), ref: 00C3139C
                • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00CBC030
                • LineTo.GDI32(00000000,?,?), ref: 00CBC03D
                • EndPath.GDI32(00000000), ref: 00CBC04D
                • StrokePath.GDI32(00000000), ref: 00CBC05B
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                • String ID:
                • API String ID: 1539411459-0
                • Opcode ID: d64bc879761e9bd158ddb1ab58e2262270b166ac37742213f0e093cb70c9292b
                • Instruction ID: 37290889ab222109e87bed43211696ea75a0fa3771a5c0d6e083ef4c871bb048
                • Opcode Fuzzy Hash: d64bc879761e9bd158ddb1ab58e2262270b166ac37742213f0e093cb70c9292b
                • Instruction Fuzzy Hash: 58F05E31005259BBDB126F54FC09FDE3F69AF05311F044118FA11611E287765A52DBA5
                Function 00C8A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                Download Yara Rule
                APIs
                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C8A399
                • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C8A3AC
                • GetCurrentThreadId.KERNEL32 ref: 00C8A3B3
                • AttachThreadInput.USER32(00000000), ref: 00C8A3BA
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                • String ID:
                • API String ID: 2710830443-0
                • Opcode ID: 0912cb76a01602253a92885fd07b0f30157f835c680f8e4ae5326c5ebe2c6ca4
                • Instruction ID: af8652339e87e31b9a7c3ebb56e3e3ea1d899a5e6508e8f717c72bd036d1d46e
                • Opcode Fuzzy Hash: 0912cb76a01602253a92885fd07b0f30157f835c680f8e4ae5326c5ebe2c6ca4
                • Instruction Fuzzy Hash: FAE03931541328BAEB202FA2DC0CFDF3F1CEF267A2F008129F90884060C671D541CBA0
                Function 00C32218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                Download Yara Rule
                APIs
                • GetSysColor.USER32(00000008), ref: 00C32231
                • SetTextColor.GDI32(?,000000FF), ref: 00C3223B
                • SetBkMode.GDI32(?,00000001), ref: 00C32250
                • GetStockObject.GDI32(00000005), ref: 00C32258
                • GetWindowDC.USER32(?,00000000), ref: 00C6C0D3
                • GetPixel.GDI32(00000000,00000000,00000000), ref: 00C6C0E0
                • GetPixel.GDI32(00000000,?,00000000), ref: 00C6C0F9
                • GetPixel.GDI32(00000000,00000000,?), ref: 00C6C112
                • GetPixel.GDI32(00000000,?,?), ref: 00C6C132
                • ReleaseDC.USER32(?,00000000), ref: 00C6C13D
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                • String ID:
                • API String ID: 1946975507-0
                • Opcode ID: 706698062d5674183b5f372b0561bdbd42847ee0601de84e83f7262d63ba3a04
                • Instruction ID: 2c1c9689e0cfafd034475d671abe2bb018216ca74eb94707d0fabf85bc55148c
                • Opcode Fuzzy Hash: 706698062d5674183b5f372b0561bdbd42847ee0601de84e83f7262d63ba3a04
                • Instruction Fuzzy Hash: 47E06D32100244EADF215F68FC4D7EC3B24EB05332F00836AFAB9581E1C7728A81DB11
                Function 00C88C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThread.KERNEL32 ref: 00C88C63
                • OpenThreadToken.ADVAPI32(00000000,?,?,?,00C8882E), ref: 00C88C6A
                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C8882E), ref: 00C88C77
                • OpenProcessToken.ADVAPI32(00000000,?,?,?,00C8882E), ref: 00C88C7E
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CurrentOpenProcessThreadToken
                • String ID:
                • API String ID: 3974789173-0
                • Opcode ID: 5733a97537adf8c72dbaf0a469a72649d8e728e39a1463bad0d5760236d8d195
                • Instruction ID: 203e491856c7dd65c1353f786ea02f75df2b1e1eb2230117cfcc33d9054ef224
                • Opcode Fuzzy Hash: 5733a97537adf8c72dbaf0a469a72649d8e728e39a1463bad0d5760236d8d195
                • Instruction Fuzzy Hash: 73E08636642221EBD7206FB06E0CB5F3BACEF54796F04492CB645C9050DA748446CB61
                Function 00C72187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                Download Yara Rule
                APIs
                • GetDesktopWindow.USER32 ref: 00C72187
                • GetDC.USER32(00000000), ref: 00C72191
                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C721B1
                • ReleaseDC.USER32(?), ref: 00C721D2
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CapsDesktopDeviceReleaseWindow
                • String ID:
                • API String ID: 2889604237-0
                • Opcode ID: 71cb07da74b79aa50dad1713d5322006f09179efc9334e4ccb1234c3d131f3a2
                • Instruction ID: 48b0aea7c6d442ee67d367c195e21d1db08d025a677b1851e7846b91eb88ad13
                • Opcode Fuzzy Hash: 71cb07da74b79aa50dad1713d5322006f09179efc9334e4ccb1234c3d131f3a2
                • Instruction Fuzzy Hash: 0EE0EEB5810214EFDB01AFA1DC08BAD7BB1FB4C350F108529FD9AA7320CB788542AF40
                Function 00C7219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • GetDesktopWindow.USER32 ref: 00C7219B
                • GetDC.USER32(00000000), ref: 00C721A5
                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C721B1
                • ReleaseDC.USER32(?), ref: 00C721D2
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CapsDesktopDeviceReleaseWindow
                • String ID:
                • API String ID: 2889604237-0
                • Opcode ID: bb7602e0fc702624edb42ee3075cf662c3e871b98bb7271cefe73be12e5d0fa1
                • Instruction ID: 0aee0da7d0865f83493dbc1a3c875556dc8a3199c96b76a0a13be28a9043ea03
                • Opcode Fuzzy Hash: bb7602e0fc702624edb42ee3075cf662c3e871b98bb7271cefe73be12e5d0fa1
                • Instruction Fuzzy Hash: 3DE012B5810204AFCB01AFB0DC087AD7BF1EB4C310F108129FD9AA7320CB789142AF40
                Function 00C8B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                Download Yara Rule
                APIs
                • OleSetContainedObject.OLE32(?,00000001), ref: 00C8B981
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ContainedObject
                • String ID: AutoIt3GUI$Container
                • API String ID: 3565006973-3941886329
                • Opcode ID: 66e123f580448bcbdd2e3b5fffda76c102ee03ce240a2cb4aec3d90d4d54235d
                • Instruction ID: 3764c60868d361453ef2492ee8ab65af6ba1d71d400f400090643880b1825d4e
                • Opcode Fuzzy Hash: 66e123f580448bcbdd2e3b5fffda76c102ee03ce240a2cb4aec3d90d4d54235d
                • Instruction Fuzzy Hash: B6915974600601AFDB24DF68C884A6ABBF8FF48714F24856DF95ACB2A1DB70ED40CB54
                Function 00C9B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C4FEC6: _wcscpy.LIBCMT ref: 00C4FEE9
                  • Part of subcall function 00C39997: __itow.LIBCMT ref: 00C399C2
                  • Part of subcall function 00C39997: __swprintf.LIBCMT ref: 00C39A0C
                • __wcsnicmp.LIBCMT ref: 00C9B298
                • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00C9B361
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                • String ID: LPT
                • API String ID: 3222508074-1350329615
                • Opcode ID: 76bb6eed9ab83755d5cdea2c315736a307ad3bbb2c9e83899d597a52cb40f217
                • Instruction ID: 84fc7bb5a907176d22fd8c84115cfdfbada9a75219a520b7a9e07ecf3d961071
                • Opcode Fuzzy Hash: 76bb6eed9ab83755d5cdea2c315736a307ad3bbb2c9e83899d597a52cb40f217
                • Instruction Fuzzy Hash: F761A075A00215EFCF14DF98D989EAEB7B4FF48310F10406AF916AB2A1DB70AE40DB50
                Function 00C42AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNEL32(00000000), ref: 00C42AC8
                • GlobalMemoryStatusEx.KERNEL32(?), ref: 00C42AE1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: GlobalMemorySleepStatus
                • String ID: @
                • API String ID: 2783356886-2766056989
                • Opcode ID: 25efff21252c1d5b7dfb1ceaf5749cb30d9012dbe9835a5f13658eead46d2e50
                • Instruction ID: a318fa337684c109365a2be1222ed792d739326be2a37bc5dd951e97ab6d173a
                • Opcode Fuzzy Hash: 25efff21252c1d5b7dfb1ceaf5749cb30d9012dbe9835a5f13658eead46d2e50
                • Instruction Fuzzy Hash: F3514971428B449BD320AF10DC86BAFBBE8FF84310F42895DF2D9511A1DB718529DB17
                Function 00C999BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C3506B: __fread_nolock.LIBCMT ref: 00C35089
                • _wcscmp.LIBCMT ref: 00C99AAE
                • _wcscmp.LIBCMT ref: 00C99AC1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: _wcscmp$__fread_nolock
                • String ID: FILE
                • API String ID: 4029003684-3121273764
                • Opcode ID: e489c69fdd67dc02f31ca192ba86bc1c12129aa74908c64c3c071435986192ef
                • Instruction ID: e7ca3f251d8f996012140188ceebe031c1ca10dc4d8ec48d322fcd592cba8dba
                • Opcode Fuzzy Hash: e489c69fdd67dc02f31ca192ba86bc1c12129aa74908c64c3c071435986192ef
                • Instruction Fuzzy Hash: 8D41C471A00619BBDF209EA5DC85FEFBBBDEF49710F000079B900A71C1DA75AA049BA1
                Function 00CA2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00CA2892
                • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00CA28C8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CrackInternet_memset
                • String ID: |
                • API String ID: 1413715105-2343686810
                • Opcode ID: 4878d0a35e3e1cf7aea10d9fa6c0e6856df48fc73c25ca85e3afa4c0a7310833
                • Instruction ID: 87c2ded1549edb87e7461a7c11a1eb3d5b2a987ec3a0cceb2f1286e2fb1c99ec
                • Opcode Fuzzy Hash: 4878d0a35e3e1cf7aea10d9fa6c0e6856df48fc73c25ca85e3afa4c0a7310833
                • Instruction Fuzzy Hash: 2D313971810219ABCF11AFA5CC85EEEBFB8FF09304F100129F815B6165DA315A56EB60
                Function 00CB7CE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00CB7DD0
                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CB7DE5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: '
                • API String ID: 3850602802-1997036262
                • Opcode ID: f765ffd65361fee60da839070f25ea689e26e6842123f12b040d93f5933dfa5a
                • Instruction ID: 93bf88eb89f19b2526b3ca16ae27f6447aa94d948f8c9c72f6ab4318b1b3dcfc
                • Opcode Fuzzy Hash: f765ffd65361fee60da839070f25ea689e26e6842123f12b040d93f5933dfa5a
                • Instruction Fuzzy Hash: 0E411774A052099FDF10CF69C881BEABBB9FF49340F10026AED15AB381D730A951CF90
                Function 00CB6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(?,?,?,?), ref: 00CB6D86
                • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00CB6DC2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Window$DestroyMove
                • String ID: static
                • API String ID: 2139405536-2160076837
                • Opcode ID: b1b76f318c3b633fc85095340249a45ffdbc9d7cdb43b33cd00f74460375aa5d
                • Instruction ID: 66a81e31fbf0ca90fb303b2bd0b34833b16920faee9bba7d124ab62a9c515e01
                • Opcode Fuzzy Hash: b1b76f318c3b633fc85095340249a45ffdbc9d7cdb43b33cd00f74460375aa5d
                • Instruction Fuzzy Hash: 60318F71210604AEDB109F78CC80BFB77B9FF48724F10861DF9A597190DA75AD91DB60
                Function 00C92D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00C92E00
                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C92E3B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: InfoItemMenu_memset
                • String ID: 0
                • API String ID: 2223754486-4108050209
                • Opcode ID: 74b0e25ae7e8218152b40b8ad8574cd8f8e541775683222775bba2bd915a2d3c
                • Instruction ID: 1ea541eba475d25c54b916ac00cd1543b3d07761a95d7015b18c835af876adb3
                • Opcode Fuzzy Hash: 74b0e25ae7e8218152b40b8ad8574cd8f8e541775683222775bba2bd915a2d3c
                • Instruction Fuzzy Hash: 6731F235A00309BBEF258F48C8C9BAEBBB9FF05351F14006AEDD5961A0E7709A44DB14
                Function 00CA3CDD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                Download Yara Rule
                APIs
                • __snwprintf.LIBCMT ref: 00CA3D5A
                  • Part of subcall function 00C37F41: _memmove.LIBCMT ref: 00C37F82
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: __snwprintf_memmove
                • String ID: , $$AUTOITCALLVARIABLE%d
                • API String ID: 3506404897-2584243854
                • Opcode ID: 58cabc9d7b7a9c30383168af17af2d1f52180152e5114de0c1572840d00f0396
                • Instruction ID: e7cfc9e9faeef7f28ba2498d55ec7c3a3f7f11e98795d1469be27d7f7e8e3332
                • Opcode Fuzzy Hash: 58cabc9d7b7a9c30383168af17af2d1f52180152e5114de0c1572840d00f0396
                • Instruction Fuzzy Hash: F921A271A10259AFCF11EFA5CC92AED77B4FF45704F4004A4F805AB281DB30EA45EBA1
                Function 00CB6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CB69D0
                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CB69DB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: Combobox
                • API String ID: 3850602802-2096851135
                • Opcode ID: 76eee51a7a58879c816af46cb2dcb7a36acd306385ddc2d6f7b7f16450b3a27f
                • Instruction ID: 1525a6219b933ac000da42e3f5d74b19cee33da374ab4ab6498b648078af430b
                • Opcode Fuzzy Hash: 76eee51a7a58879c816af46cb2dcb7a36acd306385ddc2d6f7b7f16450b3a27f
                • Instruction Fuzzy Hash: 1511C471B102086FEF119F24CC80FFF776AEB993A4F110125F96897290D6759D5187A0
                Function 00CB6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C31D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C31D73
                  • Part of subcall function 00C31D35: GetStockObject.GDI32(00000011), ref: 00C31D87
                  • Part of subcall function 00C31D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C31D91
                • GetWindowRect.USER32(00000000,?), ref: 00CB6EE0
                • GetSysColor.USER32(00000012), ref: 00CB6EFA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Window$ColorCreateMessageObjectRectSendStock
                • String ID: static
                • API String ID: 1983116058-2160076837
                • Opcode ID: 35ace2ac71df6d5d58b2f4fdf9979451433ae3b8b5f0df74e8f82fbbc671b5e5
                • Instruction ID: db145447cdfad60982a99e754d0f813e8c62eab0a22b159c61c318c226f7456f
                • Opcode Fuzzy Hash: 35ace2ac71df6d5d58b2f4fdf9979451433ae3b8b5f0df74e8f82fbbc671b5e5
                • Instruction Fuzzy Hash: C3211472A1020AAFDB04DFA8DD45AFA7BA8EB08314F044629FD55D2250E675E861DB60
                Function 00CB6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                Download Yara Rule
                APIs
                • GetWindowTextLengthW.USER32(00000000), ref: 00CB6C11
                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00CB6C20
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: LengthMessageSendTextWindow
                • String ID: edit
                • API String ID: 2978978980-2167791130
                • Opcode ID: 24c4d82a1519cf07e17387e20bcd00c1655758b7ccdb5ae6b6b5d5fc03545223
                • Instruction ID: 48daeb457966cfdc567f8f65a0e3eb0b16c29dcd9c7f1ad8f76f488cf29cbb12
                • Opcode Fuzzy Hash: 24c4d82a1519cf07e17387e20bcd00c1655758b7ccdb5ae6b6b5d5fc03545223
                • Instruction Fuzzy Hash: AE116671501208ABEB119E64DC41AEB3B6AEB15368F204B28F975D72E0C679DC91AB60
                Function 00C92E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00C92F11
                • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00C92F30
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: InfoItemMenu_memset
                • String ID: 0
                • API String ID: 2223754486-4108050209
                • Opcode ID: a14baf496a51561f6b0a7b4b8e8f1f36d9a3b492fb5b242fa71637b494409071
                • Instruction ID: d845dd86ec25e6fa7f6eaab985a16731dc67504b2a764639689e7b79ec890ba8
                • Opcode Fuzzy Hash: a14baf496a51561f6b0a7b4b8e8f1f36d9a3b492fb5b242fa71637b494409071
                • Instruction Fuzzy Hash: 0611BF31901228BBDF21DB98DC4CBAD77B9EB05350F1800A5E8A5A72A0D7B0EE04D799
                Function 00CA24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                Download Yara Rule
                APIs
                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00CA2520
                • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00CA2549
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Internet$OpenOption
                • String ID: <local>
                • API String ID: 942729171-4266983199
                • Opcode ID: 0efb80c36419b5c9f3ce93ff07ba27a6f203fcd4808483e98f3c59c64883a558
                • Instruction ID: a25d8c906ef485339eb3816c4172903ba3bde859cc689e76051df6fae7b4d889
                • Opcode Fuzzy Hash: 0efb80c36419b5c9f3ce93ff07ba27a6f203fcd4808483e98f3c59c64883a558
                • Instruction Fuzzy Hash: 7311E070900236BEDB249F5A8C98EFBFF68FB07759F10822AF91552140D2706A81DAE0
                Function 00CA80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00CA830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00CA80C8,?,00000000,?,?), ref: 00CA8322
                • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00CA80CB
                • htons.WSOCK32(00000000,?,00000000), ref: 00CA8108
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ByteCharMultiWidehtonsinet_addr
                • String ID: 255.255.255.255
                • API String ID: 2496851823-2422070025
                • Opcode ID: 75e45716731100e7ac4b4e24622718ce0eb97e30b43f5ae2be41295d1e48c8b7
                • Instruction ID: 55699992c10df91d7e21712961a480cffa09d69758b926204ac7307643e33cf8
                • Opcode Fuzzy Hash: 75e45716731100e7ac4b4e24622718ce0eb97e30b43f5ae2be41295d1e48c8b7
                • Instruction Fuzzy Hash: BF11E534100206ABDB10AF64CC46FBDB734FF05324F10852AE91197291DB32A915D795
                Function 00C892E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C37F41: _memmove.LIBCMT ref: 00C37F82
                  • Part of subcall function 00C8B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C8B0E7
                • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C89355
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ClassMessageNameSend_memmove
                • String ID: ComboBox$ListBox
                • API String ID: 372448540-1403004172
                • Opcode ID: a1a30b24d21490afa5a804ec17a70332d9243ec2d4bcffaf951aaf065c08409a
                • Instruction ID: 2c80dd99d9fe24cea4c1a86fb1e0a7b41b2a7647f56f6f98469fa6cdac18ffbc
                • Opcode Fuzzy Hash: a1a30b24d21490afa5a804ec17a70332d9243ec2d4bcffaf951aaf065c08409a
                • Instruction Fuzzy Hash: 3401B1B1A15219ABCB04FBA5CC918FE7769FF06320B140719F832572E2DB316908A754
                Function 00C9901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: __fread_nolock_memmove
                • String ID: EA06
                • API String ID: 1988441806-3962188686
                • Opcode ID: 24a76e3f6ed9362f83c6a14c3a6ec56dc0902c0af833eba99f58e4be37b01994
                • Instruction ID: b0969a413d49e4c0d411b34334c0a0a2f0369b36b3bf4bd34ea5af95dcc47881
                • Opcode Fuzzy Hash: 24a76e3f6ed9362f83c6a14c3a6ec56dc0902c0af833eba99f58e4be37b01994
                • Instruction Fuzzy Hash: C501F9718042587EDB28C6A9C81AFFE7BF8DB15301F00419EF552D61C1E575E6089B60
                Function 00C891DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C37F41: _memmove.LIBCMT ref: 00C37F82
                  • Part of subcall function 00C8B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C8B0E7
                • SendMessageW.USER32(?,00000180,00000000,?), ref: 00C8924D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ClassMessageNameSend_memmove
                • String ID: ComboBox$ListBox
                • API String ID: 372448540-1403004172
                • Opcode ID: 070794b008c8ec371707692f1ddaf15b025d647b57e756ee90646fe6fa7f2726
                • Instruction ID: 76e54465aa3fb610b233d601d521057bcac6b44445bca29fe9beaaf212a35666
                • Opcode Fuzzy Hash: 070794b008c8ec371707692f1ddaf15b025d647b57e756ee90646fe6fa7f2726
                • Instruction Fuzzy Hash: BE0184B1A412097BCB14FBA1C992EFF73A8DF05300F140129B912672C1EA216F18A7A5
                Function 00C89264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C37F41: _memmove.LIBCMT ref: 00C37F82
                  • Part of subcall function 00C8B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C8B0E7
                • SendMessageW.USER32(?,00000182,?,00000000), ref: 00C892D0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ClassMessageNameSend_memmove
                • String ID: ComboBox$ListBox
                • API String ID: 372448540-1403004172
                • Opcode ID: cafcd85a06410a1bd166e3e2b88308ecbca669f876e7e5334bdc1b145e60b48a
                • Instruction ID: 863c1796119baeab259057c67a7144a175e6078d091fd15d938ec054107ef263
                • Opcode Fuzzy Hash: cafcd85a06410a1bd166e3e2b88308ecbca669f876e7e5334bdc1b145e60b48a
                • Instruction Fuzzy Hash: 1001A2B1A4120977CB14FBA1C992EFF77ACDF15300F280225B812672D2DA215F08A379
                Function 00C951CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: ClassName_wcscmp
                • String ID: #32770
                • API String ID: 2292705959-463685578
                • Opcode ID: 65ae86f4b1b1e52c57e153385b8849f91a3037f6b8ccbeb516e70a0b5ea4aef8
                • Instruction ID: 6d282ab69b9c2ff3b43442d11f2c51dfa1ebecb85fcf5fed8077da8898fc685f
                • Opcode Fuzzy Hash: 65ae86f4b1b1e52c57e153385b8849f91a3037f6b8ccbeb516e70a0b5ea4aef8
                • Instruction Fuzzy Hash: 9BE0D17290432D5BD71097959C49FA7F7ACEB45771F00016BFD14D3150D5609A4587D1
                Function 00C881BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                Download Yara Rule
                APIs
                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C881CA
                  • Part of subcall function 00C53598: _doexit.LIBCMT ref: 00C535A2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: Message_doexit
                • String ID: AutoIt$Error allocating memory.
                • API String ID: 1993061046-4017498283
                • Opcode ID: f1ee9acf4c60ed9fd9064515ea6c59e2d10a89af314b19c86270ea772b5a387c
                • Instruction ID: 9974853cb36dbdcfff87fb4777da073b7949ee59d67e93fd160b185ceb6e7da2
                • Opcode Fuzzy Hash: f1ee9acf4c60ed9fd9064515ea6c59e2d10a89af314b19c86270ea772b5a387c
                • Instruction Fuzzy Hash: 83D05B363C535832D21532E56C0BFCD76484B05F56F444425FF08555D38ED155C652DD
                Function 00C6B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C6B564: _memset.LIBCMT ref: 00C6B571
                  • Part of subcall function 00C50B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C6B540,?,?,?,00C3100A), ref: 00C50B89
                • IsDebuggerPresent.KERNEL32(?,?,?,00C3100A), ref: 00C6B544
                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C3100A), ref: 00C6B553
                Strings
                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C6B54E
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                • API String ID: 3158253471-631824599
                • Opcode ID: 92c4a30b8c6de27b3264ad73df505b3952895e064627c912444d327c138b4dd0
                • Instruction ID: d60ebad07b850950814c57fa9b21dcb5a37014236092be6413f728dd354935a5
                • Opcode Fuzzy Hash: 92c4a30b8c6de27b3264ad73df505b3952895e064627c912444d327c138b4dd0
                • Instruction Fuzzy Hash: 1EE092B02003118FD731DF28D9443867BE0AF00705F008A2EE986C3761E7B4D884CB62
                Function 00CB5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                Download Yara Rule
                APIs
                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CB5BF5
                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CB5C08
                  • Part of subcall function 00C954E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C9555E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2158986798.0000000000C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C30000, based on PE: true
                • Associated: 00000000.00000002.2158960048.0000000000C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CBF000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159056506.0000000000CE5000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159118138.0000000000CEF000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2159145634.0000000000CF8000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c30000_W1POMvaEjU.jbxd
                Similarity
                • API ID: FindMessagePostSleepWindow
                • String ID: Shell_TrayWnd
                • API String ID: 529655941-2988720461
                • Opcode ID: de4ff190a2a6120d98b361c565e387465c48f92ef256f67bf7bb00eccf8d6269
                • Instruction ID: 20231a18f253fbaa895ab1d8f62e8e87b6cfdd6848be9504cc1b4ef103676bdd
                • Opcode Fuzzy Hash: de4ff190a2a6120d98b361c565e387465c48f92ef256f67bf7bb00eccf8d6269
                • Instruction Fuzzy Hash: 9FD0C931788351BAE774AB74AC0FF9B6A14AB04B51F004939B645AA2D0D9E46805C654