Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FEdTp2g4xD.exe

Overview

General Information

Sample name:FEdTp2g4xD.exe
renamed because original name is a hash value
Original sample name:6236393f8e6e09812d6450503a99b36b8852cc3e8d673a5c1eebe76e0d65c157.exe
Analysis ID:1589095
MD5:66b2aab65e0afc1693d9f14e25c5c489
SHA1:0b33469d687c17efaaceffc45ca3c8322a518436
SHA256:6236393f8e6e09812d6450503a99b36b8852cc3e8d673a5c1eebe76e0d65c157
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • FEdTp2g4xD.exe (PID: 1848 cmdline: "C:\Users\user\Desktop\FEdTp2g4xD.exe" MD5: 66B2AAB65E0AFC1693D9F14E25C5C489)
    • svchost.exe (PID: 4872 cmdline: "C:\Users\user\Desktop\FEdTp2g4xD.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2017424288.0000000002980000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2017219736.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\FEdTp2g4xD.exe", CommandLine: "C:\Users\user\Desktop\FEdTp2g4xD.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\FEdTp2g4xD.exe", ParentImage: C:\Users\user\Desktop\FEdTp2g4xD.exe, ParentProcessId: 1848, ParentProcessName: FEdTp2g4xD.exe, ProcessCommandLine: "C:\Users\user\Desktop\FEdTp2g4xD.exe", ProcessId: 4872, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\FEdTp2g4xD.exe", CommandLine: "C:\Users\user\Desktop\FEdTp2g4xD.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\FEdTp2g4xD.exe", ParentImage: C:\Users\user\Desktop\FEdTp2g4xD.exe, ParentProcessId: 1848, ParentProcessName: FEdTp2g4xD.exe, ProcessCommandLine: "C:\Users\user\Desktop\FEdTp2g4xD.exe", ProcessId: 4872, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: FEdTp2g4xD.exeVirustotal: Detection: 47%Perma Link
          Source: FEdTp2g4xD.exeReversingLabs: Detection: 70%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2017424288.0000000002980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2017219736.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: FEdTp2g4xD.exeJoe Sandbox ML: detected
          Source: FEdTp2g4xD.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: FEdTp2g4xD.exe, 00000000.00000003.1361190033.0000000003900000.00000004.00001000.00020000.00000000.sdmp, FEdTp2g4xD.exe, 00000000.00000003.1368085015.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2017641262.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1682474742.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1684259857.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2017641262.000000000359E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: FEdTp2g4xD.exe, 00000000.00000003.1361190033.0000000003900000.00000004.00001000.00020000.00000000.sdmp, FEdTp2g4xD.exe, 00000000.00000003.1368085015.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2017641262.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1682474742.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1684259857.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2017641262.000000000359E000.00000040.00001000.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000B6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_000B6CA9
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000B60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_000B60DD
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000B63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_000B63F9
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000BEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_000BEB60
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000BF56F FindFirstFileW,FindClose,0_2_000BF56F
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000BF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_000BF5FA
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000C1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_000C1B2F
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000C1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_000C1C8A
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000C1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_000C1F94
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000C4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_000C4EB5
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000C6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_000C6B0C
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000C6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_000C6D07
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000C6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_000C6B0C
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000B2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_000B2B37
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000DF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_000DF7FF

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2017424288.0000000002980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2017219736.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: This is a third-party compiled AutoIt script.0_2_00073D19
          Source: FEdTp2g4xD.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: FEdTp2g4xD.exe, 00000000.00000000.1351114989.000000000011E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_46a4f971-3
          Source: FEdTp2g4xD.exe, 00000000.00000000.1351114989.000000000011E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_75ab7e28-4
          Source: FEdTp2g4xD.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9fe08975-1
          Source: FEdTp2g4xD.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3a86b4bd-7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C7F3 NtClose,2_2_0042C7F3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B60 NtClose,LdrInitializeThunk,2_2_03472B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03472DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034735C0 NtCreateMutant,LdrInitializeThunk,2_2_034735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474340 NtSetContextThread,2_2_03474340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474650 NtSuspendThread,2_2_03474650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BE0 NtQueryValueKey,2_2_03472BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BF0 NtAllocateVirtualMemory,2_2_03472BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B80 NtQueryInformationFile,2_2_03472B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BA0 NtEnumerateValueKey,2_2_03472BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AD0 NtReadFile,2_2_03472AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AF0 NtWriteFile,2_2_03472AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AB0 NtWaitForSingleObject,2_2_03472AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F60 NtCreateProcessEx,2_2_03472F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F30 NtCreateSection,2_2_03472F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FE0 NtCreateFile,2_2_03472FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F90 NtProtectVirtualMemory,2_2_03472F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FA0 NtQuerySection,2_2_03472FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FB0 NtResumeThread,2_2_03472FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E30 NtWriteVirtualMemory,2_2_03472E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EE0 NtQueueApcThread,2_2_03472EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E80 NtReadVirtualMemory,2_2_03472E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EA0 NtAdjustPrivilegesToken,2_2_03472EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D00 NtSetInformationFile,2_2_03472D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D10 NtMapViewOfSection,2_2_03472D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D30 NtUnmapViewOfSection,2_2_03472D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DD0 NtDelayExecution,2_2_03472DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DB0 NtEnumerateKey,2_2_03472DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C60 NtCreateKey,2_2_03472C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C70 NtFreeVirtualMemory,2_2_03472C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C00 NtQueryInformationProcess,2_2_03472C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CC0 NtQueryVirtualMemory,2_2_03472CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CF0 NtOpenProcess,2_2_03472CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CA0 NtQueryInformationToken,2_2_03472CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473010 NtOpenDirectoryObject,2_2_03473010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473090 NtSetValueKey,2_2_03473090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034739B0 NtGetContextThread,2_2_034739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D70 NtOpenThread,2_2_03473D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D10 NtOpenProcessToken,2_2_03473D10
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000B6606: CreateFileW,DeviceIoControl,CloseHandle,0_2_000B6606
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000AACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_000AACC5
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000B79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_000B79D3
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0009B0430_2_0009B043
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000832000_2_00083200
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000A410F0_2_000A410F
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000902A40_2_000902A4
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000A038E0_2_000A038E
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0007E3B00_2_0007E3B0
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000A467F0_2_000A467F
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000906D90_2_000906D9
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000DAACE0_2_000DAACE
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000A4BEF0_2_000A4BEF
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0009CCC10_2_0009CCC1
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_00076F070_2_00076F07
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0007AF500_2_0007AF50
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0008B11F0_2_0008B11F
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0009D1B90_2_0009D1B9
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000D31BC0_2_000D31BC
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0009123A0_2_0009123A
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000A724D0_2_000A724D
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000B13CA0_2_000B13CA
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000793F00_2_000793F0
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0008F5630_2_0008F563
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000796C00_2_000796C0
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000BB6CC0_2_000BB6CC
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000777B00_2_000777B0
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000DF7FF0_2_000DF7FF
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000A79C90_2_000A79C9
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0008FA570_2_0008FA57
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_00079B600_2_00079B60
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_00083B700_2_00083B70
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_00077D190_2_00077D19
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0008FE6F0_2_0008FE6F
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_00099ED00_2_00099ED0
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_00077FA30_2_00077FA3
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0122FC080_2_0122FC08
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168F32_2_004168F3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101432_2_00410143
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011002_2_00401100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1292_2_0040E129
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1332_2_0040E133
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E2772_2_0040E277
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032002_2_00403200
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E2832_2_0040E283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004023AC2_2_004023AC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004023B02_2_004023B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402CE02_2_00402CE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EDF32_2_0042EDF3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027402_2_00402740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF232_2_0040FF23
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027312_2_00402731
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA3522_2_034FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F02_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035003E62_2_035003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E02742_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C02C02_2_034C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C81582_2_034C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034301002_2_03430100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA1182_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F81CC2_2_034F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F41A22_2_034F41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035001AA2_2_035001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D20002_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034647502_2_03464750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034407702_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7C02_2_0343C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C6E02_2_0345C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034405352_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035005912_2_03500591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F24462_2_034F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E44202_2_034E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EE4F62_2_034EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FAB402_2_034FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F6BD72_2_034F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA802_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034569622_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A02_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350A9A62_2_0350A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344A8402_2_0344A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034428402_2_03442840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E8F02_2_0346E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034268B82_2_034268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4F402_2_034B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03482F282_2_03482F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460F302_2_03460F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E2F302_2_034E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432FC82_2_03432FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344CFE02_2_0344CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BEFA02_2_034BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440E592_2_03440E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEE262_2_034FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEEDB2_2_034FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452E902_2_03452E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FCE932_2_034FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344AD002_2_0344AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DCD1F2_2_034DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ADE02_2_0343ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03458DBF2_2_03458DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440C002_2_03440C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430CF22_2_03430CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0CB52_2_034E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342D34C2_2_0342D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F132D2_2_034F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0348739A2_2_0348739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B2C02_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED2_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034452A02_2_034452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347516C2_2_0347516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F1722_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350B16B2_2_0350B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344B1B02_2_0344B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EF0CC2_2_034EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C02_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F70E92_2_034F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF0E02_2_034FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF7B02_2_034FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034856302_2_03485630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F16CC2_2_034F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F75712_2_034F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035095C32_2_035095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DD5B02_2_034DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034314602_2_03431460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF43F2_2_034FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFB762_2_034FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B5BF02_2_034B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347DBF92_2_0347DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FB802_2_0345FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFA492_2_034FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7A462_2_034F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B3A6C2_2_034B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EDAC62_2_034EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DDAAC2_2_034DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03485AA02_2_03485AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E1AA32_2_034E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034499502_2_03449950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B9502_2_0345B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D59102_2_034D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AD8002_2_034AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034438E02_2_034438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFF092_2_034FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03403FD22_2_03403FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03403FD52_2_03403FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441F922_2_03441F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFFB12_2_034FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03449EB02_2_03449EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03443D402_2_03443D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F1D5A2_2_034F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7D732_2_034F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FDC02_2_0345FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B9C322_2_034B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFCF22_2_034FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B970 appears 280 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487E54 appears 110 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BF290 appears 105 times
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: String function: 0009F8A0 appears 35 times
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: String function: 00096AC0 appears 42 times
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: String function: 0008EC2F appears 68 times
          Source: FEdTp2g4xD.exe, 00000000.00000003.1364641652.0000000003A73000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs FEdTp2g4xD.exe
          Source: FEdTp2g4xD.exe, 00000000.00000003.1368085015.0000000003C1D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs FEdTp2g4xD.exe
          Source: FEdTp2g4xD.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: classification engineClassification label: mal80.troj.evad.winEXE@3/2@0/0
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000BCE7A GetLastError,FormatMessageW,0_2_000BCE7A
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000AAB84 AdjustTokenPrivileges,CloseHandle,0_2_000AAB84
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000AB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_000AB134
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000BE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_000BE1FD
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000B6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_000B6532
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000CC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_000CC18C
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0007406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_0007406B
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeFile created: C:\Users\user\AppData\Local\Temp\aut33C5.tmpJump to behavior
          Source: FEdTp2g4xD.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: FEdTp2g4xD.exeVirustotal: Detection: 47%
          Source: FEdTp2g4xD.exeReversingLabs: Detection: 70%
          Source: unknownProcess created: C:\Users\user\Desktop\FEdTp2g4xD.exe "C:\Users\user\Desktop\FEdTp2g4xD.exe"
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\FEdTp2g4xD.exe"
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\FEdTp2g4xD.exe"Jump to behavior
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeSection loaded: ntmarta.dllJump to behavior
          Source: FEdTp2g4xD.exeStatic file information: File size 1207808 > 1048576
          Source: FEdTp2g4xD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: FEdTp2g4xD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: FEdTp2g4xD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: FEdTp2g4xD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: FEdTp2g4xD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: FEdTp2g4xD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: FEdTp2g4xD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: FEdTp2g4xD.exe, 00000000.00000003.1361190033.0000000003900000.00000004.00001000.00020000.00000000.sdmp, FEdTp2g4xD.exe, 00000000.00000003.1368085015.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2017641262.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1682474742.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1684259857.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2017641262.000000000359E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: FEdTp2g4xD.exe, 00000000.00000003.1361190033.0000000003900000.00000004.00001000.00020000.00000000.sdmp, FEdTp2g4xD.exe, 00000000.00000003.1368085015.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2017641262.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1682474742.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1684259857.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2017641262.000000000359E000.00000040.00001000.00020000.00000000.sdmp
          Source: FEdTp2g4xD.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: FEdTp2g4xD.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: FEdTp2g4xD.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: FEdTp2g4xD.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: FEdTp2g4xD.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0008E01E LoadLibraryA,GetProcAddress,0_2_0008E01E
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0008288B push 66000823h; retn 000Eh0_2_000828E1
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_00096B05 push ecx; ret 0_2_00096B18
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041907E push esp; retf 2_2_00419080
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E83F push esi; ret 2_2_0041E840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004238BA push es; retf 2_2_004238DF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EC2C push esp; retf 2_2_0041EC2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403480 push eax; ret 2_2_00403482
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00404DE2 push edx; retf 2_2_00404DEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AE84 push 00000017h; ret 2_2_0040AE8A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041668B push ss; ret 2_2_004166A1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041668F push ss; ret 2_2_004166A1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004017D0 push edi; ret 2_2_004017D2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004227E2 push es; ret 2_2_004227EA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340225F pushad ; ret 2_2_034027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034027FA pushad ; ret 2_2_034027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD push ecx; mov dword ptr [esp], ecx2_2_034309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340283D push eax; iretd 2_2_03402858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340135E push eax; iretd 2_2_03401369
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000D8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_000D8111
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0008EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0008EB42
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0009123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0009123A
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeAPI/Special instruction interceptor: Address: 122F82C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E rdtsc 2_2_0347096E
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeEvaded block: after key decisiongraph_0-94989
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeAPI coverage: 4.7 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 1008Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000B6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_000B6CA9
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000B60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_000B60DD
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000B63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_000B63F9
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000BEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_000BEB60
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000BF56F FindFirstFileW,FindClose,0_2_000BF56F
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000BF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_000BF5FA
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000C1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_000C1B2F
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000C1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_000C1C8A
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000C1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_000C1F94
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0008DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0008DDC0
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeAPI call chain: ExitProcess graph end nodegraph_0-94759
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E rdtsc 2_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417883 LdrLoadDll,2_2_00417883
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000C6AAF BlockInput,0_2_000C6AAF
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_00073D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00073D19
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000A3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_000A3920
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0008E01E LoadLibraryA,GetProcAddress,0_2_0008E01E
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0122E448 mov eax, dword ptr fs:[00000030h]0_2_0122E448
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0122FA98 mov eax, dword ptr fs:[00000030h]0_2_0122FA98
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0122FAF8 mov eax, dword ptr fs:[00000030h]0_2_0122FAF8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov ecx, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA352 mov eax, dword ptr fs:[00000030h]2_2_034FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D8350 mov ecx, dword ptr fs:[00000030h]2_2_034D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350634F mov eax, dword ptr fs:[00000030h]2_2_0350634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D437C mov eax, dword ptr fs:[00000030h]2_2_034D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C310 mov ecx, dword ptr fs:[00000030h]2_2_0342C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450310 mov ecx, dword ptr fs:[00000030h]2_2_03450310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov ecx, dword ptr fs:[00000030h]2_2_03508324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC3CD mov eax, dword ptr fs:[00000030h]2_2_034EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B63C0 mov eax, dword ptr fs:[00000030h]2_2_034B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov ecx, dword ptr fs:[00000030h]2_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]2_2_034D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]2_2_034D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034663FF mov eax, dword ptr fs:[00000030h]2_2_034663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]2_2_0345438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]2_2_0345438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8243 mov eax, dword ptr fs:[00000030h]2_2_034B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8243 mov ecx, dword ptr fs:[00000030h]2_2_034B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350625D mov eax, dword ptr fs:[00000030h]2_2_0350625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A250 mov eax, dword ptr fs:[00000030h]2_2_0342A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436259 mov eax, dword ptr fs:[00000030h]2_2_03436259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]2_2_034EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]2_2_034EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342826B mov eax, dword ptr fs:[00000030h]2_2_0342826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342823B mov eax, dword ptr fs:[00000030h]2_2_0342823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035062D6 mov eax, dword ptr fs:[00000030h]2_2_035062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]2_2_0346E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]2_2_0346E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]2_2_034402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]2_2_034402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov ecx, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov ecx, dword ptr fs:[00000030h]2_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C156 mov eax, dword ptr fs:[00000030h]2_2_0342C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C8158 mov eax, dword ptr fs:[00000030h]2_2_034C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]2_2_03436154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]2_2_03436154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]2_2_03504164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]2_2_03504164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov ecx, dword ptr fs:[00000030h]2_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F0115 mov eax, dword ptr fs:[00000030h]2_2_034F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460124 mov eax, dword ptr fs:[00000030h]2_2_03460124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]2_2_034F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]2_2_034F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035061E5 mov eax, dword ptr fs:[00000030h]2_2_035061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034601F8 mov eax, dword ptr fs:[00000030h]2_2_034601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03470185 mov eax, dword ptr fs:[00000030h]2_2_03470185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]2_2_034EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]2_2_034EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]2_2_034D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]2_2_034D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432050 mov eax, dword ptr fs:[00000030h]2_2_03432050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6050 mov eax, dword ptr fs:[00000030h]2_2_034B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C073 mov eax, dword ptr fs:[00000030h]2_2_0345C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4000 mov ecx, dword ptr fs:[00000030h]2_2_034B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A020 mov eax, dword ptr fs:[00000030h]2_2_0342A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C020 mov eax, dword ptr fs:[00000030h]2_2_0342C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6030 mov eax, dword ptr fs:[00000030h]2_2_034C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B20DE mov eax, dword ptr fs:[00000030h]2_2_034B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0342A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034380E9 mov eax, dword ptr fs:[00000030h]2_2_034380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B60E0 mov eax, dword ptr fs:[00000030h]2_2_034B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C0F0 mov eax, dword ptr fs:[00000030h]2_2_0342C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034720F0 mov ecx, dword ptr fs:[00000030h]2_2_034720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343208A mov eax, dword ptr fs:[00000030h]2_2_0343208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034280A0 mov eax, dword ptr fs:[00000030h]2_2_034280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C80A8 mov eax, dword ptr fs:[00000030h]2_2_034C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F60B8 mov eax, dword ptr fs:[00000030h]2_2_034F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F60B8 mov ecx, dword ptr fs:[00000030h]2_2_034F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov esi, dword ptr fs:[00000030h]2_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]2_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]2_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430750 mov eax, dword ptr fs:[00000030h]2_2_03430750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE75D mov eax, dword ptr fs:[00000030h]2_2_034BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]2_2_03472750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]2_2_03472750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4755 mov eax, dword ptr fs:[00000030h]2_2_034B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438770 mov eax, dword ptr fs:[00000030h]2_2_03438770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C700 mov eax, dword ptr fs:[00000030h]2_2_0346C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430710 mov eax, dword ptr fs:[00000030h]2_2_03430710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460710 mov eax, dword ptr fs:[00000030h]2_2_03460710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]2_2_0346C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]2_2_0346C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]2_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov ecx, dword ptr fs:[00000030h]2_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]2_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC730 mov eax, dword ptr fs:[00000030h]2_2_034AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7C0 mov eax, dword ptr fs:[00000030h]2_2_0343C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B07C3 mov eax, dword ptr fs:[00000030h]2_2_034B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE7E1 mov eax, dword ptr fs:[00000030h]2_2_034BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]2_2_034347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]2_2_034347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D678E mov eax, dword ptr fs:[00000030h]2_2_034D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034307AF mov eax, dword ptr fs:[00000030h]2_2_034307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E47A0 mov eax, dword ptr fs:[00000030h]2_2_034E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344C640 mov eax, dword ptr fs:[00000030h]2_2_0344C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]2_2_034F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]2_2_034F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]2_2_0346A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]2_2_0346A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03462674 mov eax, dword ptr fs:[00000030h]2_2_03462674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE609 mov eax, dword ptr fs:[00000030h]2_2_034AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472619 mov eax, dword ptr fs:[00000030h]2_2_03472619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E627 mov eax, dword ptr fs:[00000030h]2_2_0344E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03466620 mov eax, dword ptr fs:[00000030h]2_2_03466620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468620 mov eax, dword ptr fs:[00000030h]2_2_03468620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343262C mov eax, dword ptr fs:[00000030h]2_2_0343262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0346A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A6C7 mov eax, dword ptr fs:[00000030h]2_2_0346A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]2_2_034B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]2_2_034B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]2_2_03434690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]2_2_03434690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C6A6 mov eax, dword ptr fs:[00000030h]2_2_0346C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034666B0 mov eax, dword ptr fs:[00000030h]2_2_034666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]2_2_03438550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]2_2_03438550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6500 mov eax, dword ptr fs:[00000030h]2_2_034C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]2_2_0346E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]2_2_0346E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034365D0 mov eax, dword ptr fs:[00000030h]2_2_034365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]2_2_0346A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]2_2_0346A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034325E0 mov eax, dword ptr fs:[00000030h]2_2_034325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]2_2_0346C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]2_2_0346C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432582 mov eax, dword ptr fs:[00000030h]2_2_03432582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432582 mov ecx, dword ptr fs:[00000030h]2_2_03432582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464588 mov eax, dword ptr fs:[00000030h]2_2_03464588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E59C mov eax, dword ptr fs:[00000030h]2_2_0346E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]2_2_034545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]2_2_034545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA456 mov eax, dword ptr fs:[00000030h]2_2_034EA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342645D mov eax, dword ptr fs:[00000030h]2_2_0342645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345245A mov eax, dword ptr fs:[00000030h]2_2_0345245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC460 mov ecx, dword ptr fs:[00000030h]2_2_034BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C427 mov eax, dword ptr fs:[00000030h]2_2_0342C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A430 mov eax, dword ptr fs:[00000030h]2_2_0346A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034304E5 mov ecx, dword ptr fs:[00000030h]2_2_034304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA49A mov eax, dword ptr fs:[00000030h]2_2_034EA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034364AB mov eax, dword ptr fs:[00000030h]2_2_034364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034644B0 mov ecx, dword ptr fs:[00000030h]2_2_034644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BA4B0 mov eax, dword ptr fs:[00000030h]2_2_034BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]2_2_034E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]2_2_034E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]2_2_034C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]2_2_034C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FAB40 mov eax, dword ptr fs:[00000030h]2_2_034FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D8B42 mov eax, dword ptr fs:[00000030h]2_2_034D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428B50 mov eax, dword ptr fs:[00000030h]2_2_03428B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEB50 mov eax, dword ptr fs:[00000030h]2_2_034DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CB7E mov eax, dword ptr fs:[00000030h]2_2_0342CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504B00 mov eax, dword ptr fs:[00000030h]2_2_03504B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]2_2_0345EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]2_2_0345EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]2_2_034F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]2_2_034F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEBD0 mov eax, dword ptr fs:[00000030h]2_2_034DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EBFC mov eax, dword ptr fs:[00000030h]2_2_0345EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCBF0 mov eax, dword ptr fs:[00000030h]2_2_034BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]2_2_03440BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]2_2_03440BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]2_2_034E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]2_2_034E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]2_2_03440A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]2_2_03440A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEA60 mov eax, dword ptr fs:[00000030h]2_2_034DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]2_2_034ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]2_2_034ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCA11 mov eax, dword ptr fs:[00000030h]2_2_034BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA24 mov eax, dword ptr fs:[00000030h]2_2_0346CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EA2E mov eax, dword ptr fs:[00000030h]2_2_0345EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]2_2_03454A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]2_2_03454A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA38 mov eax, dword ptr fs:[00000030h]2_2_0346CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430AD0 mov eax, dword ptr fs:[00000030h]2_2_03430AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]2_2_03464AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]2_2_03464AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]2_2_0346AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]2_2_0346AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504A80 mov eax, dword ptr fs:[00000030h]2_2_03504A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468A90 mov edx, dword ptr fs:[00000030h]2_2_03468A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]2_2_03438AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]2_2_03438AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486AA4 mov eax, dword ptr fs:[00000030h]2_2_03486AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0946 mov eax, dword ptr fs:[00000030h]2_2_034B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504940 mov eax, dword ptr fs:[00000030h]2_2_03504940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]2_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov edx, dword ptr fs:[00000030h]2_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]2_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]2_2_034D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]2_2_034D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC97C mov eax, dword ptr fs:[00000030h]2_2_034BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]2_2_034AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]2_2_034AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC912 mov eax, dword ptr fs:[00000030h]2_2_034BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]2_2_03428918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]2_2_03428918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B892A mov eax, dword ptr fs:[00000030h]2_2_034B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C892B mov eax, dword ptr fs:[00000030h]2_2_034C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C69C0 mov eax, dword ptr fs:[00000030h]2_2_034C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034649D0 mov eax, dword ptr fs:[00000030h]2_2_034649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA9D3 mov eax, dword ptr fs:[00000030h]2_2_034FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE9E0 mov eax, dword ptr fs:[00000030h]2_2_034BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]2_2_034629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]2_2_034629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]2_2_034309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]2_2_034309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov esi, dword ptr fs:[00000030h]2_2_034B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]2_2_034B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]2_2_034B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442840 mov ecx, dword ptr fs:[00000030h]2_2_03442840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460854 mov eax, dword ptr fs:[00000030h]2_2_03460854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]2_2_03434859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]2_2_03434859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]2_2_034BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]2_2_034BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]2_2_034C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]2_2_034C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC810 mov eax, dword ptr fs:[00000030h]2_2_034BC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000AA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_000AA66C
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_00098189 SetUnhandledExceptionFilter,0_2_00098189
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000981AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000981AC

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2AC9008Jump to behavior
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000AB106 LogonUserW,0_2_000AB106
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_00073D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00073D19
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000B411C SendInput,keybd_event,0_2_000B411C
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000B74BB mouse_event,0_2_000B74BB
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\FEdTp2g4xD.exe"Jump to behavior
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000AA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_000AA66C
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000B71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_000B71FA
          Source: FEdTp2g4xD.exeBinary or memory string: Shell_TrayWnd
          Source: FEdTp2g4xD.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000965C4 cpuid 0_2_000965C4
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000C091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_000C091D
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000EB340 GetUserNameW,0_2_000EB340
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000A1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_000A1E8E
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_0008DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0008DDC0

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2017424288.0000000002980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2017219736.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: FEdTp2g4xD.exeBinary or memory string: WIN_81
          Source: FEdTp2g4xD.exeBinary or memory string: WIN_XP
          Source: FEdTp2g4xD.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
          Source: FEdTp2g4xD.exeBinary or memory string: WIN_XPe
          Source: FEdTp2g4xD.exeBinary or memory string: WIN_VISTA
          Source: FEdTp2g4xD.exeBinary or memory string: WIN_7
          Source: FEdTp2g4xD.exeBinary or memory string: WIN_8

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2017424288.0000000002980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2017219736.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000C8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_000C8C4F
          Source: C:\Users\user\Desktop\FEdTp2g4xD.exeCode function: 0_2_000C923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_000C923B

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		2
          Valid Accounts          		2
          Valid Accounts          		2
          Valid Accounts          		21
          Input Capture          		2
          System Time Discovery          		Remote Services21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		LSASS Memory15
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
          Access Token Manipulation          		2
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares3
          Clipboard Data          		SteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook212
          Process Injection          		21
          Access Token Manipulation          		NTDS3
          Process Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          DLL Side-Loading          		212
          Process Injection          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials1
          Account Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Obfuscated Files or Information          		DCSync1
          System Owner/User Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc Filesystem1
          File and Directory Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow115
          System Information Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          FEdTp2g4xD.exe47%VirustotalBrowse
          FEdTp2g4xD.exe71%ReversingLabsWin32.Trojan.Vigorf
          FEdTp2g4xD.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          s-part-0017.t-0009.t-msedge.net
          		13.107.246.45
          		truefalse
            		high

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1589095
            Start date and time:2025-01-11 09:34:06 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 55s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Run name:Run with higher sleep bypass
            Number of analysed new started processes analysed:6
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:FEdTp2g4xD.exe
            renamed because original name is a hash value
            Original Sample Name:6236393f8e6e09812d6450503a99b36b8852cc3e8d673a5c1eebe76e0d65c157.exe
            Detection:MAL
            Classification:mal80.troj.evad.winEXE@3/2@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 98%
            • Number of executed functions: 50
            • Number of non-executed functions: 302
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
            • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
            • Stop behavior analysis, all processes terminated

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53, 172.202.163.200
            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing disassembly code.

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            s-part-0017.t-0009.t-msedge.net305861283730376077.jsGet hashmaliciousStrela DownloaderBrowse
            • 13.107.246.45
            1274320496157183071.jsGet hashmaliciousStrela DownloaderBrowse
            • 13.107.246.45
            944924352317221058.jsGet hashmaliciousStrela DownloaderBrowse
            • 13.107.246.45
            kzQ25HVUbf.exeGet hashmaliciousLokibotBrowse
            • 13.107.246.45
            huuG7N3jOv.exeGet hashmaliciousFormBookBrowse
            • 13.107.246.45
            x8M2g1Xxhz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
            • 13.107.246.45
            4287eV6mBc.exeGet hashmaliciousAgentTeslaBrowse
            • 13.107.246.45
            Yv24LkKBY6.exeGet hashmaliciousUnknownBrowse
            • 13.107.246.45
            11626244731900027402.jsGet hashmaliciousStrela DownloaderBrowse
            • 13.107.246.45
            QQpQgSYkjW.exeGet hashmaliciousFormBookBrowse
            • 13.107.246.45

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\Montevideo

            Download File
            Process:C:\Users\user\Desktop\FEdTp2g4xD.exe
            File Type:data
            Category:dropped
            Size (bytes):288256
            Entropy (8bit):7.994762906652376
            Encrypted:true
            SSDEEP:6144:r+FnR5mBuOeDd7gdrtLwfoSD0arXddPlW4keV2zKt6D9Anha2:weBzsitmoSfrNdPQg8Dqnf
            MD5:EF64177B907F59A0790D09E26206D7B1
            SHA1:3BBF9BAC99FD29E31E60B7FA3CBDE760FCD5ECE4
            SHA-256:EAA5B24FC1F9BF405AD8DD300FA3E911D212CED0F00C1BC2DCBDAD1C591D6AFA
            SHA-512:F40A9EF9308409E08627AFA3FD6E32E3374CD1670C50E90CF904BC952A92440B27EF834266DEDCB0C6F3CE43B8771D801540927EB0CDC67108CF190105BA7FA9
            Malicious:false
            Reputation:low
            Preview:x..CT9FK=VYE.YO.ZVG54VKuP6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE.DYOVE.I5._...7....#P%y5C+>=97v$TZ8$ApT&wK3%.?7eu..o552".9[A.P6CW9FK@WP..$>.e:1..T1./...mY!.#...$>.B....T1.g9U+jY!.9VYE1DYO..VGy5WK&VA.W9FK9VYE.D[NS[]G5`RK5P6CW9FK.EYE1TYOX*RG54.K5@6CW;FK?VYE1DYO^ZVG54VK5 2CW;FK9VYE3D..XZFG5$VK5P&CW)FK9VYE!DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK.$S;#9FK..]E1TYOX.RG5$VK5P6CW9FK9VYE.DY/XZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYO

            C:\Users\user\AppData\Local\Temp\aut33C5.tmp

            Download File
            Process:C:\Users\user\Desktop\FEdTp2g4xD.exe
            File Type:data
            Category:dropped
            Size (bytes):288256
            Entropy (8bit):7.994762906652376
            Encrypted:true
            SSDEEP:6144:r+FnR5mBuOeDd7gdrtLwfoSD0arXddPlW4keV2zKt6D9Anha2:weBzsitmoSfrNdPQg8Dqnf
            MD5:EF64177B907F59A0790D09E26206D7B1
            SHA1:3BBF9BAC99FD29E31E60B7FA3CBDE760FCD5ECE4
            SHA-256:EAA5B24FC1F9BF405AD8DD300FA3E911D212CED0F00C1BC2DCBDAD1C591D6AFA
            SHA-512:F40A9EF9308409E08627AFA3FD6E32E3374CD1670C50E90CF904BC952A92440B27EF834266DEDCB0C6F3CE43B8771D801540927EB0CDC67108CF190105BA7FA9
            Malicious:false
            Reputation:low
            Preview:x..CT9FK=VYE.YO.ZVG54VKuP6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE.DYOVE.I5._...7....#P%y5C+>=97v$TZ8$ApT&wK3%.?7eu..o552".9[A.P6CW9FK@WP..$>.e:1..T1./...mY!.#...$>.B....T1.g9U+jY!.9VYE1DYO..VGy5WK&VA.W9FK9VYE.D[NS[]G5`RK5P6CW9FK.EYE1TYOX*RG54.K5@6CW;FK?VYE1DYO^ZVG54VK5 2CW;FK9VYE3D..XZFG5$VK5P&CW)FK9VYE!DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK.$S;#9FK..]E1TYOX.RG5$VK5P6CW9FK9VYE.DY/XZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYOXZVG54VK5P6CW9FK9VYE1DYO

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.139566129394039
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:FEdTp2g4xD.exe
            File size:1'207'808 bytes
            MD5:66b2aab65e0afc1693d9f14e25c5c489
            SHA1:0b33469d687c17efaaceffc45ca3c8322a518436
            SHA256:6236393f8e6e09812d6450503a99b36b8852cc3e8d673a5c1eebe76e0d65c157
            SHA512:2b75c1e4f95fe74129d2b319bcfbce04e9f0907f4d270977ec57ad53637903256785f1d6a307529308a4d187c0cb264e706c94bf8db41e2ba23267fb1638b08c
            SSDEEP:24576:0tb20pkaCqT5TBWgNQ7a+VLZVm5ya5KV95p/66A:dVg5tQ7a+VVg5ywio5
            TLSH:E845C01273DEC361C3725273BA25B741BE7F782506A5F56B2FD8093DB820222525EA73
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

            File Icon

            Icon Hash:aaf3e3e3938382a0

            Static PE Info

            General

            Entrypoint:0x425f74
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
            Time Stamp:0x67486360 [Thu Nov 28 12:34:40 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:3d95adbf13bbe79dc24dccb401c12091

            Entrypoint Preview

            Instruction
            call 00007F7CBCBD019Fh
            jmp 00007F7CBCBC31B4h
            int3
            int3
            push edi
            push esi
            mov esi, dword ptr [esp+10h]
            mov ecx, dword ptr [esp+14h]
            mov edi, dword ptr [esp+0Ch]
            mov eax, ecx
            mov edx, ecx
            add eax, esi
            cmp edi, esi
            jbe 00007F7CBCBC333Ah
            cmp edi, eax
            jc 00007F7CBCBC369Eh
            bt dword ptr [004C0158h], 01h
            jnc 00007F7CBCBC3339h
            rep movsb
            jmp 00007F7CBCBC364Ch
            cmp ecx, 00000080h
            jc 00007F7CBCBC3504h
            mov eax, edi
            xor eax, esi
            test eax, 0000000Fh
            jne 00007F7CBCBC3340h
            bt dword ptr [004BA370h], 01h
            jc 00007F7CBCBC3810h
            bt dword ptr [004C0158h], 00000000h
            jnc 00007F7CBCBC34DDh
            test edi, 00000003h
            jne 00007F7CBCBC34EEh
            test esi, 00000003h
            jne 00007F7CBCBC34CDh
            bt edi, 02h
            jnc 00007F7CBCBC333Fh
            mov eax, dword ptr [esi]
            sub ecx, 04h
            lea esi, dword ptr [esi+04h]
            mov dword ptr [edi], eax
            lea edi, dword ptr [edi+04h]
            bt edi, 03h
            jnc 00007F7CBCBC3343h
            movq xmm1, qword ptr [esi]
            sub ecx, 08h
            lea esi, dword ptr [esi+08h]
            movq qword ptr [edi], xmm1
            lea edi, dword ptr [edi+08h]
            test esi, 00000007h
            je 00007F7CBCBC3395h
            bt esi, 03h
            jnc 00007F7CBCBC33E8h
            movdqa xmm1, dqword ptr [esi+00h]

            Rich Headers

            Programming Language:
            • [ C ] VS2008 SP1 build 30729
            • [IMP] VS2008 SP1 build 30729
            • [ASM] VS2012 UPD4 build 61030
            • [RES] VS2012 UPD4 build 61030
            • [LNK] VS2012 UPD4 build 61030

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x5dc7c.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1220000x6c4c.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0xc40000x5dc7c0x5de00ed3fff059dcf4aa14b18f4fbeefff4cdFalse0.9297187083888149data7.898369674761974IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x1220000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
            RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
            RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
            RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
            RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
            RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
            RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
            RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
            RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
            RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
            RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
            RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
            RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
            RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
            RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
            RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
            RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
            RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
            RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
            RT_RCDATA0xcc7b80x54f81data1.000333301727135
            RT_GROUP_ICON0x12173c0x76dataEnglishGreat Britain0.6610169491525424
            RT_GROUP_ICON0x1217b40x14dataEnglishGreat Britain1.25
            RT_GROUP_ICON0x1217c80x14dataEnglishGreat Britain1.15
            RT_GROUP_ICON0x1217dc0x14dataEnglishGreat Britain1.25
            RT_VERSION0x1217f00xdcdataEnglishGreat Britain0.6181818181818182
            RT_MANIFEST0x1218cc0x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

            Imports

            DLLImport
            WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
            VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
            COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
            WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
            PSAPI.DLLGetProcessMemoryInfo
            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
            USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
            UxTheme.dllIsThemeActive
            KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
            USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
            GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
            COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
            ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
            OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishGreat Britain

            Network Behavior

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Jan 11, 2025 09:34:55.378359079 CET1.1.1.1192.168.2.90xd82cNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
            Jan 11, 2025 09:34:55.378359079 CET1.1.1.1192.168.2.90xd82cNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:03:34:59
            Start date:11/01/2025
            Path:C:\Users\user\Desktop\FEdTp2g4xD.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\FEdTp2g4xD.exe"
            Imagebase:0x70000
            File size:1'207'808 bytes
            MD5 hash:66B2AAB65E0AFC1693D9F14E25C5C489
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:03:35:00
            Start date:11/01/2025
            Path:C:\Windows\SysWOW64\svchost.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\FEdTp2g4xD.exe"
            Imagebase:0x930000
            File size:46'504 bytes
            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2017424288.0000000002980000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2017219736.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:3.8%
              Dynamic/Decrypted Code Coverage:1.5%
              Signature Coverage:9.8%
              Total number of Nodes:2000
              Total number of Limit Nodes:153
              execution_graph 94055 122ef33 94056 122ef3a 94055->94056 94057 122ef42 94056->94057 94058 122efd8 94056->94058 94062 122ebe8 94057->94062 94075 122f888 9 API calls 94058->94075 94061 122efbf 94076 122c5d8 94062->94076 94064 122ec87 94067 122ece1 VirtualAlloc 94064->94067 94072 122ecc5 94064->94072 94073 122ede8 CloseHandle 94064->94073 94074 122edf8 VirtualFree 94064->94074 94079 122faf8 GetPEB 94064->94079 94066 122ecb8 CreateFileW 94066->94064 94066->94072 94068 122ed02 ReadFile 94067->94068 94067->94072 94071 122ed20 VirtualAlloc 94068->94071 94068->94072 94069 122eee2 94069->94061 94070 122eed4 VirtualFree 94070->94069 94071->94064 94071->94072 94072->94069 94072->94070 94073->94064 94074->94064 94075->94061 94081 122fa98 GetPEB 94076->94081 94078 122cc63 94078->94064 94080 122fb22 94079->94080 94080->94066 94082 122fac2 94081->94082 94082->94078 94083 8221a 94084 8271e 94083->94084 94085 82223 94083->94085 94091 81eba Mailbox 94084->94091 94123 aa58f 48 API calls _memcpy_s 94084->94123 94085->94084 94094 7936c 94085->94094 94087 8224e 94087->94084 94089 8225e 94087->94089 94114 7b384 94089->94114 94090 ebe8a 94124 76eed 94090->94124 94095 79384 94094->94095 94096 79380 94094->94096 94097 e4cbd __i64tow 94095->94097 94098 e4bbf 94095->94098 94099 79398 94095->94099 94105 793b0 __itow Mailbox _wcscpy 94095->94105 94096->94087 94100 e4bc8 94098->94100 94101 e4ca5 94098->94101 94128 9172b 80 API calls 3 library calls 94099->94128 94100->94105 94107 e4be7 94100->94107 94144 9172b 80 API calls 3 library calls 94101->94144 94129 8f4ea 94105->94129 94106 793ba 94106->94096 94138 7ce19 94106->94138 94108 8f4ea 48 API calls 94107->94108 94110 e4c04 94108->94110 94111 8f4ea 48 API calls 94110->94111 94112 e4c2a 94111->94112 94112->94096 94113 7ce19 48 API calls 94112->94113 94113->94096 94115 7b392 94114->94115 94122 7b3c5 _memcpy_s 94114->94122 94116 7b3fd 94115->94116 94117 7b3b8 94115->94117 94115->94122 94118 8f4ea 48 API calls 94116->94118 94178 7bb85 94117->94178 94120 7b407 94118->94120 94121 8f4ea 48 API calls 94120->94121 94121->94122 94122->94091 94123->94090 94125 76f00 94124->94125 94126 76ef8 94124->94126 94125->94091 94183 7dd47 48 API calls _memcpy_s 94126->94183 94128->94105 94132 8f4f2 __calloc_impl 94129->94132 94131 8f50c 94131->94106 94132->94131 94133 8f50e std::exception::exception 94132->94133 94145 9395c 94132->94145 94159 96805 RaiseException 94133->94159 94135 8f538 94160 9673b 47 API calls _free 94135->94160 94137 8f54a 94137->94106 94139 7ce28 __NMSG_WRITE 94138->94139 94167 8ee75 94139->94167 94141 7ce50 _memcpy_s 94142 8f4ea 48 API calls 94141->94142 94143 7ce66 94142->94143 94143->94096 94144->94105 94146 939d7 __calloc_impl 94145->94146 94154 93968 __calloc_impl 94145->94154 94166 97c0e 47 API calls __getptd_noexit 94146->94166 94147 93973 94147->94154 94161 981c2 47 API calls __NMSG_WRITE 94147->94161 94162 9821f 47 API calls 4 library calls 94147->94162 94163 91145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 94147->94163 94150 9399b RtlAllocateHeap 94151 939cf 94150->94151 94150->94154 94151->94132 94153 939c3 94164 97c0e 47 API calls __getptd_noexit 94153->94164 94154->94147 94154->94150 94154->94153 94157 939c1 94154->94157 94165 97c0e 47 API calls __getptd_noexit 94157->94165 94159->94135 94160->94137 94161->94147 94162->94147 94164->94157 94165->94151 94166->94151 94169 8f4ea __calloc_impl 94167->94169 94168 9395c std::exception::_Copy_str 47 API calls 94168->94169 94169->94168 94170 8f50c 94169->94170 94171 8f50e std::exception::exception 94169->94171 94170->94141 94176 96805 RaiseException 94171->94176 94173 8f538 94177 9673b 47 API calls _free 94173->94177 94175 8f54a 94175->94141 94176->94173 94177->94175 94179 7bb9b 94178->94179 94182 7bb96 _memcpy_s 94178->94182 94180 e1b77 94179->94180 94181 8ee75 48 API calls 94179->94181 94181->94182 94182->94122 94183->94125 94184 e9bec 94219 80ae0 _memcpy_s Mailbox 94184->94219 94188 8146e 94199 76eed 48 API calls 94188->94199 94191 80509 94285 bcc5c 86 API calls 4 library calls 94191->94285 94192 76eed 48 API calls 94210 7fec8 94192->94210 94194 8f4ea 48 API calls 94194->94210 94195 81473 94284 bcc5c 86 API calls 4 library calls 94195->94284 94196 ea246 94202 76eed 48 API calls 94196->94202 94197 ea922 94213 7ffe1 Mailbox 94199->94213 94202->94213 94203 a97ed InterlockedDecrement 94203->94210 94204 ea873 94205 7d7f7 48 API calls 94205->94210 94206 ea30e 94206->94213 94280 a97ed InterlockedDecrement 94206->94280 94207 7ce19 48 API calls 94207->94219 94208 90f0a 52 API calls __cinit 94208->94210 94210->94188 94210->94191 94210->94192 94210->94194 94210->94195 94210->94196 94210->94203 94210->94205 94210->94206 94210->94208 94211 ea973 94210->94211 94210->94213 94215 815b5 94210->94215 94226 81d10 94210->94226 94246 81820 335 API calls 2 library calls 94210->94246 94286 bcc5c 86 API calls 4 library calls 94211->94286 94214 ea982 94283 bcc5c 86 API calls 4 library calls 94215->94283 94217 8f4ea 48 API calls 94217->94219 94219->94207 94219->94210 94219->94213 94219->94217 94220 ea706 94219->94220 94222 81526 Mailbox 94219->94222 94223 a97ed InterlockedDecrement 94219->94223 94240 d0d09 94219->94240 94243 d0d1d 94219->94243 94247 7fe30 94219->94247 94276 cef61 82 API calls 2 library calls 94219->94276 94277 cf0ac 90 API calls Mailbox 94219->94277 94278 ba6ef 48 API calls 94219->94278 94279 ce822 335 API calls Mailbox 94219->94279 94281 bcc5c 86 API calls 4 library calls 94220->94281 94282 bcc5c 86 API calls 4 library calls 94222->94282 94223->94219 94227 81d2a 94226->94227 94231 81ed6 94226->94231 94228 82357 94227->94228 94227->94231 94232 81e0b 94227->94232 94233 81eba 94227->94233 94228->94233 94290 b9f44 58 API calls __gmtime64_s 94228->94290 94230 81f55 94230->94233 94236 81e9a Mailbox 94230->94236 94288 a97ed InterlockedDecrement 94230->94288 94231->94228 94231->94230 94231->94233 94231->94236 94232->94230 94232->94233 94235 81e47 94232->94235 94233->94210 94235->94233 94235->94236 94237 ebfc4 94235->94237 94236->94233 94289 9203b 58 API calls __wtof_l 94236->94289 94287 9203b 58 API calls __wtof_l 94237->94287 94291 cf8ae 94240->94291 94242 d0d19 94242->94219 94244 cf8ae 129 API calls 94243->94244 94245 d0d2d 94244->94245 94245->94219 94246->94210 94248 7fe50 94247->94248 94268 7fe7e 94247->94268 94249 8f4ea 48 API calls 94248->94249 94249->94268 94250 8146e 94251 76eed 48 API calls 94250->94251 94272 7ffe1 94251->94272 94252 a97ed InterlockedDecrement 94252->94268 94253 815b5 94425 bcc5c 86 API calls 4 library calls 94253->94425 94254 80509 94427 bcc5c 86 API calls 4 library calls 94254->94427 94255 81d10 59 API calls 94255->94268 94257 76eed 48 API calls 94257->94268 94259 8f4ea 48 API calls 94259->94268 94260 ea246 94263 76eed 48 API calls 94260->94263 94261 ea922 94261->94219 94262 81473 94426 bcc5c 86 API calls 4 library calls 94262->94426 94263->94272 94266 7d7f7 48 API calls 94266->94268 94267 ea873 94267->94219 94268->94250 94268->94252 94268->94253 94268->94254 94268->94255 94268->94257 94268->94259 94268->94260 94268->94262 94268->94266 94269 ea30e 94268->94269 94270 90f0a 52 API calls __cinit 94268->94270 94268->94272 94273 ea973 94268->94273 94423 81820 335 API calls 2 library calls 94268->94423 94269->94272 94424 a97ed InterlockedDecrement 94269->94424 94270->94268 94272->94219 94428 bcc5c 86 API calls 4 library calls 94273->94428 94275 ea982 94276->94219 94277->94219 94278->94219 94279->94219 94280->94213 94281->94222 94282->94213 94283->94213 94284->94204 94285->94197 94286->94214 94287->94233 94288->94236 94289->94233 94290->94233 94292 7936c 81 API calls 94291->94292 94293 cf8ea 94292->94293 94295 cf92c Mailbox 94293->94295 94327 d0567 94293->94327 94295->94242 94296 cfb8b 94297 cfcfa 94296->94297 94301 cfb95 94296->94301 94390 d0688 89 API calls Mailbox 94297->94390 94300 cfd07 94300->94301 94302 cfd13 94300->94302 94340 cf70a 94301->94340 94302->94295 94303 7936c 81 API calls 94321 cf984 Mailbox 94303->94321 94308 cfbc9 94354 8ed18 94308->94354 94311 cfbfd 94361 8c050 94311->94361 94312 cfbe3 94360 bcc5c 86 API calls 4 library calls 94312->94360 94315 cfbee GetCurrentProcess TerminateProcess 94315->94311 94316 cfc14 94326 cfc3e 94316->94326 94372 81b90 94316->94372 94318 cfd65 94318->94295 94323 cfd7e FreeLibrary 94318->94323 94319 cfc2d 94388 d040f 105 API calls _free 94319->94388 94320 81b90 48 API calls 94320->94326 94321->94295 94321->94296 94321->94303 94321->94321 94358 d29e8 48 API calls _memcpy_s 94321->94358 94359 cfda5 60 API calls 2 library calls 94321->94359 94323->94295 94326->94318 94326->94320 94389 7dcae 50 API calls Mailbox 94326->94389 94391 d040f 105 API calls _free 94326->94391 94392 7bdfa 94327->94392 94329 d0582 CharLowerBuffW 94398 b1f11 94329->94398 94336 d05d2 94411 7b18b 94336->94411 94338 d061a Mailbox 94338->94321 94339 d05de Mailbox 94339->94338 94415 cfda5 60 API calls 2 library calls 94339->94415 94341 cf725 94340->94341 94345 cf77a 94340->94345 94342 8f4ea 48 API calls 94341->94342 94343 cf747 94342->94343 94344 8f4ea 48 API calls 94343->94344 94343->94345 94344->94343 94346 d0828 94345->94346 94347 d0a53 Mailbox 94346->94347 94353 d084b _strcat _wcscpy __NMSG_WRITE 94346->94353 94347->94308 94348 7cf93 58 API calls 94348->94353 94349 7d286 48 API calls 94349->94353 94350 7936c 81 API calls 94350->94353 94351 9395c 47 API calls std::exception::_Copy_str 94351->94353 94353->94347 94353->94348 94353->94349 94353->94350 94353->94351 94418 b8035 50 API calls __NMSG_WRITE 94353->94418 94355 8ed2d 94354->94355 94356 8edc5 VirtualProtect 94355->94356 94357 8ed93 94355->94357 94356->94357 94357->94311 94357->94312 94358->94321 94359->94321 94360->94315 94362 8c064 94361->94362 94364 8c069 Mailbox 94361->94364 94419 8c1af 48 API calls 94362->94419 94370 8c077 94364->94370 94420 8c15c 48 API calls 94364->94420 94366 8f4ea 48 API calls 94367 8c108 94366->94367 94369 8f4ea 48 API calls 94367->94369 94368 8c152 94368->94316 94371 8c113 94369->94371 94370->94366 94370->94368 94371->94316 94371->94371 94373 81cf6 94372->94373 94374 81ba2 94372->94374 94373->94319 94378 8f4ea 48 API calls 94374->94378 94387 81bae 94374->94387 94376 81c5d 94376->94319 94377 81bb9 94377->94376 94381 8f4ea 48 API calls 94377->94381 94379 e49c4 94378->94379 94380 8f4ea 48 API calls 94379->94380 94382 e49cf 94380->94382 94383 81c9f 94381->94383 94386 8f4ea 48 API calls 94382->94386 94382->94387 94384 81cb2 94383->94384 94421 72925 48 API calls 94383->94421 94384->94319 94386->94382 94387->94377 94422 8c15c 48 API calls 94387->94422 94388->94326 94389->94326 94390->94300 94391->94326 94393 7be0d 94392->94393 94397 7be0a _memcpy_s 94392->94397 94394 8f4ea 48 API calls 94393->94394 94395 7be17 94394->94395 94396 8ee75 48 API calls 94395->94396 94396->94397 94397->94329 94399 b1f3b __NMSG_WRITE 94398->94399 94400 b1f79 94399->94400 94402 b1f6f 94399->94402 94404 b1ffa 94399->94404 94400->94339 94405 7d7f7 94400->94405 94402->94400 94416 8d37a 60 API calls 94402->94416 94404->94400 94417 8d37a 60 API calls 94404->94417 94406 8f4ea 48 API calls 94405->94406 94407 7d818 94406->94407 94408 8f4ea 48 API calls 94407->94408 94409 7d826 94408->94409 94410 769e9 48 API calls _memcpy_s 94409->94410 94410->94336 94412 7b199 94411->94412 94414 7b1a2 _memcpy_s 94411->94414 94413 7bdfa 48 API calls 94412->94413 94412->94414 94413->94414 94414->94339 94415->94338 94416->94402 94417->94404 94418->94353 94419->94364 94420->94370 94421->94384 94422->94377 94423->94268 94424->94272 94425->94272 94426->94267 94427->94261 94428->94275 94429 e19dd 94434 74a30 94429->94434 94431 e19f1 94454 90f0a 52 API calls __cinit 94431->94454 94433 e19fb 94435 74a40 __ftell_nolock 94434->94435 94436 7d7f7 48 API calls 94435->94436 94437 74af6 94436->94437 94455 75374 94437->94455 94439 74aff 94462 7363c 94439->94462 94446 7d7f7 48 API calls 94447 74b32 94446->94447 94484 749fb 94447->94484 94449 74b43 Mailbox 94449->94431 94450 74b3d _wcscat Mailbox __NMSG_WRITE 94450->94449 94451 7ce19 48 API calls 94450->94451 94452 764cf 48 API calls 94450->94452 94453 761a6 48 API calls 94450->94453 94451->94450 94452->94450 94453->94450 94454->94433 94498 9f8a0 94455->94498 94458 7ce19 48 API calls 94459 753a7 94458->94459 94500 7660f 94459->94500 94461 753b1 Mailbox 94461->94439 94463 73649 __ftell_nolock 94462->94463 94526 7366c GetFullPathNameW 94463->94526 94465 7365a 94466 76a63 48 API calls 94465->94466 94467 73669 94466->94467 94468 7518c 94467->94468 94469 75197 94468->94469 94470 e1ace 94469->94470 94471 7519f 94469->94471 94473 76b4a 48 API calls 94470->94473 94528 75130 94471->94528 94475 e1adb __NMSG_WRITE 94473->94475 94474 74b18 94478 764cf 94474->94478 94476 8ee75 48 API calls 94475->94476 94477 e1b07 _memcpy_s 94476->94477 94479 7651b 94478->94479 94483 764dd _memcpy_s 94478->94483 94482 8f4ea 48 API calls 94479->94482 94480 8f4ea 48 API calls 94481 74b29 94480->94481 94481->94446 94482->94483 94483->94480 94538 7bcce 94484->94538 94487 e41cc RegQueryValueExW 94489 e4246 RegCloseKey 94487->94489 94490 e41e5 94487->94490 94488 74a2b 94488->94450 94491 8f4ea 48 API calls 94490->94491 94492 e41fe 94491->94492 94544 747b7 94492->94544 94495 e423b 94495->94489 94496 e4224 94497 76a63 48 API calls 94496->94497 94497->94495 94499 75381 GetModuleFileNameW 94498->94499 94499->94458 94501 9f8a0 __ftell_nolock 94500->94501 94502 7661c GetFullPathNameW 94501->94502 94507 76a63 94502->94507 94504 76643 94518 76571 94504->94518 94508 76adf 94507->94508 94511 76a6f __NMSG_WRITE 94507->94511 94509 7b18b 48 API calls 94508->94509 94510 76ab6 _memcpy_s 94509->94510 94510->94504 94512 76ad7 94511->94512 94513 76a8b 94511->94513 94525 7c369 48 API calls 94512->94525 94522 76b4a 94513->94522 94516 76a95 94517 8ee75 48 API calls 94516->94517 94517->94510 94519 7657f 94518->94519 94520 7b18b 48 API calls 94519->94520 94521 7658f 94520->94521 94521->94461 94523 8f4ea 48 API calls 94522->94523 94524 76b54 94523->94524 94524->94516 94525->94510 94527 7368a 94526->94527 94527->94465 94529 7513f __NMSG_WRITE 94528->94529 94530 75151 94529->94530 94531 e1b27 94529->94531 94532 7bb85 48 API calls 94530->94532 94533 76b4a 48 API calls 94531->94533 94534 7515e _memcpy_s 94532->94534 94535 e1b34 94533->94535 94534->94474 94536 8ee75 48 API calls 94535->94536 94537 e1b57 _memcpy_s 94536->94537 94539 7bce8 94538->94539 94543 74a0a RegOpenKeyExW 94538->94543 94540 8f4ea 48 API calls 94539->94540 94541 7bcf2 94540->94541 94542 8ee75 48 API calls 94541->94542 94542->94543 94543->94487 94543->94488 94545 8f4ea 48 API calls 94544->94545 94546 747c9 RegQueryValueExW 94545->94546 94546->94495 94546->94496 94547 e19ba 94552 8c75a 94547->94552 94551 e19c9 94553 7d7f7 48 API calls 94552->94553 94554 8c7c8 94553->94554 94560 8d26c 94554->94560 94557 8c865 94558 8c881 94557->94558 94563 8d1fa 48 API calls _memcpy_s 94557->94563 94559 90f0a 52 API calls __cinit 94558->94559 94559->94551 94564 8d298 94560->94564 94563->94557 94565 8d28b 94564->94565 94566 8d2a5 94564->94566 94565->94557 94566->94565 94567 8d2ac RegOpenKeyExW 94566->94567 94567->94565 94568 8d2c6 RegQueryValueExW 94567->94568 94569 8d2fc RegCloseKey 94568->94569 94570 8d2e7 94568->94570 94569->94565 94570->94569 94571 95dfd 94572 95e09 __setmbcp 94571->94572 94608 97eeb GetStartupInfoW 94572->94608 94574 95e0e 94610 99ca7 GetProcessHeap 94574->94610 94576 95e66 94577 95e71 94576->94577 94695 95f4d 47 API calls 3 library calls 94576->94695 94611 97b47 94577->94611 94580 95e77 94581 95e82 __RTC_Initialize 94580->94581 94696 95f4d 47 API calls 3 library calls 94580->94696 94632 9acb3 94581->94632 94584 95e91 94585 95e9d GetCommandLineW 94584->94585 94697 95f4d 47 API calls 3 library calls 94584->94697 94651 a2e7d GetEnvironmentStringsW 94585->94651 94588 95e9c 94588->94585 94594 95ec2 94664 a2cb4 94594->94664 94595 95ec8 94596 95ed3 94595->94596 94699 9115b 47 API calls 3 library calls 94595->94699 94678 91195 94596->94678 94599 95edb 94600 95ee6 __wwincmdln 94599->94600 94700 9115b 47 API calls 3 library calls 94599->94700 94682 73a0f 94600->94682 94603 95efa 94604 95f09 94603->94604 94701 913f1 47 API calls _doexit 94603->94701 94702 91186 47 API calls _doexit 94604->94702 94607 95f0e __setmbcp 94609 97f01 94608->94609 94609->94574 94610->94576 94703 9123a 30 API calls 2 library calls 94611->94703 94613 97b4c 94704 97e23 InitializeCriticalSectionAndSpinCount 94613->94704 94615 97b51 94616 97b55 94615->94616 94706 97e6d TlsAlloc 94615->94706 94705 97bbd 50 API calls 2 library calls 94616->94705 94619 97b5a 94619->94580 94620 97b67 94620->94616 94621 97b72 94620->94621 94707 96986 94621->94707 94624 97bb4 94715 97bbd 50 API calls 2 library calls 94624->94715 94627 97bb9 94627->94580 94628 97b93 94628->94624 94629 97b99 94628->94629 94714 97a94 47 API calls 4 library calls 94629->94714 94631 97ba1 GetCurrentThreadId 94631->94580 94633 9acbf __setmbcp 94632->94633 94724 97cf4 94633->94724 94635 9acc6 94636 96986 __calloc_crt 47 API calls 94635->94636 94637 9acd7 94636->94637 94638 9ace2 @_EH4_CallFilterFunc@8 __setmbcp 94637->94638 94639 9ad42 GetStartupInfoW 94637->94639 94638->94584 94646 9ae80 94639->94646 94648 9ad57 94639->94648 94640 9af44 94731 9af58 LeaveCriticalSection _doexit 94640->94731 94642 9aec9 GetStdHandle 94642->94646 94643 96986 __calloc_crt 47 API calls 94643->94648 94644 9aedb GetFileType 94644->94646 94645 9ada5 94645->94646 94649 9ade5 InitializeCriticalSectionAndSpinCount 94645->94649 94650 9add7 GetFileType 94645->94650 94646->94640 94646->94642 94646->94644 94647 9af08 InitializeCriticalSectionAndSpinCount 94646->94647 94647->94646 94648->94643 94648->94645 94648->94646 94649->94645 94650->94645 94650->94649 94652 95ead 94651->94652 94654 a2e8e 94651->94654 94658 a2a7b GetModuleFileNameW 94652->94658 94653 a2ea9 94770 969d0 47 API calls std::exception::_Copy_str 94653->94770 94654->94653 94654->94654 94656 a2eb4 _memcpy_s 94657 a2eca FreeEnvironmentStringsW 94656->94657 94657->94652 94659 a2aaf _wparse_cmdline 94658->94659 94660 95eb7 94659->94660 94661 a2ae9 94659->94661 94660->94594 94698 9115b 47 API calls 3 library calls 94660->94698 94771 969d0 47 API calls std::exception::_Copy_str 94661->94771 94663 a2aef _wparse_cmdline 94663->94660 94665 a2ccd __NMSG_WRITE 94664->94665 94669 a2cc5 94664->94669 94666 96986 __calloc_crt 47 API calls 94665->94666 94674 a2cf6 __NMSG_WRITE 94666->94674 94667 a2d4d 94668 91c9d _free 47 API calls 94667->94668 94668->94669 94669->94595 94670 96986 __calloc_crt 47 API calls 94670->94674 94671 a2d72 94673 91c9d _free 47 API calls 94671->94673 94673->94669 94674->94667 94674->94669 94674->94670 94674->94671 94675 a2d89 94674->94675 94772 a2567 47 API calls __wsplitpath_helper 94674->94772 94773 96e20 IsProcessorFeaturePresent 94675->94773 94677 a2d95 94677->94595 94679 911a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 94678->94679 94681 911e0 __IsNonwritableInCurrentImage 94679->94681 94796 90f0a 52 API calls __cinit 94679->94796 94681->94599 94683 e1ebf 94682->94683 94684 73a29 94682->94684 94685 73a63 IsThemeActive 94684->94685 94797 91405 94685->94797 94689 73a8f 94809 73adb SystemParametersInfoW SystemParametersInfoW 94689->94809 94691 73a9b 94810 73d19 94691->94810 94693 73aa3 SystemParametersInfoW 94694 73ac8 94693->94694 94694->94603 94695->94577 94696->94581 94697->94588 94701->94604 94702->94607 94703->94613 94704->94615 94705->94619 94706->94620 94710 9698d 94707->94710 94709 969ca 94709->94624 94713 97ec9 TlsSetValue 94709->94713 94710->94709 94711 969ab Sleep 94710->94711 94716 a30aa 94710->94716 94712 969c2 94711->94712 94712->94709 94712->94710 94713->94628 94714->94631 94715->94627 94717 a30b5 94716->94717 94718 a30d0 __calloc_impl 94716->94718 94717->94718 94719 a30c1 94717->94719 94720 a30e0 RtlAllocateHeap 94718->94720 94722 a30c6 94718->94722 94723 97c0e 47 API calls __getptd_noexit 94719->94723 94720->94718 94720->94722 94722->94710 94723->94722 94725 97d18 EnterCriticalSection 94724->94725 94726 97d05 94724->94726 94725->94635 94732 97d7c 94726->94732 94728 97d0b 94728->94725 94756 9115b 47 API calls 3 library calls 94728->94756 94731->94638 94733 97d88 __setmbcp 94732->94733 94734 97da9 94733->94734 94735 97d91 94733->94735 94737 97da7 94734->94737 94745 97e11 __setmbcp 94734->94745 94757 981c2 47 API calls __NMSG_WRITE 94735->94757 94737->94734 94760 969d0 47 API calls std::exception::_Copy_str 94737->94760 94738 97d96 94758 9821f 47 API calls 4 library calls 94738->94758 94741 97dbd 94742 97dd3 94741->94742 94743 97dc4 94741->94743 94747 97cf4 __lock 46 API calls 94742->94747 94761 97c0e 47 API calls __getptd_noexit 94743->94761 94744 97d9d 94759 91145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 94744->94759 94745->94728 94750 97dda 94747->94750 94749 97dc9 94749->94745 94751 97de9 InitializeCriticalSectionAndSpinCount 94750->94751 94752 97dfe 94750->94752 94753 97e04 94751->94753 94762 91c9d 94752->94762 94768 97e1a LeaveCriticalSection _doexit 94753->94768 94757->94738 94758->94744 94760->94741 94761->94749 94763 91ca6 RtlFreeHeap 94762->94763 94767 91ccf _free 94762->94767 94764 91cbb 94763->94764 94763->94767 94769 97c0e 47 API calls __getptd_noexit 94764->94769 94766 91cc1 GetLastError 94766->94767 94767->94753 94768->94745 94769->94766 94770->94656 94771->94663 94772->94674 94774 96e2b 94773->94774 94779 96cb5 94774->94779 94778 96e46 94778->94677 94780 96ccf _memset ___raise_securityfailure 94779->94780 94781 96cef IsDebuggerPresent 94780->94781 94787 981ac SetUnhandledExceptionFilter UnhandledExceptionFilter 94781->94787 94783 96db3 ___raise_securityfailure 94788 9a70c 94783->94788 94785 96dd6 94786 98197 GetCurrentProcess TerminateProcess 94785->94786 94786->94778 94787->94783 94789 9a714 94788->94789 94790 9a716 IsProcessorFeaturePresent 94788->94790 94789->94785 94792 a37b0 94790->94792 94795 a375f 5 API calls 2 library calls 94792->94795 94794 a3893 94794->94785 94795->94794 94796->94681 94798 97cf4 __lock 47 API calls 94797->94798 94799 91410 94798->94799 94862 97e58 LeaveCriticalSection 94799->94862 94801 73a88 94802 9146d 94801->94802 94803 91491 94802->94803 94804 91477 94802->94804 94803->94689 94804->94803 94863 97c0e 47 API calls __getptd_noexit 94804->94863 94806 91481 94864 96e10 8 API calls __wsplitpath_helper 94806->94864 94808 9148c 94808->94689 94809->94691 94811 73d26 __ftell_nolock 94810->94811 94812 7d7f7 48 API calls 94811->94812 94813 73d31 GetCurrentDirectoryW 94812->94813 94865 761ca 94813->94865 94815 73d57 IsDebuggerPresent 94816 73d65 94815->94816 94817 e1cc1 MessageBoxA 94815->94817 94818 73e3a 94816->94818 94819 e1cd9 94816->94819 94820 73d82 94816->94820 94817->94819 94821 73e41 SetCurrentDirectoryW 94818->94821 95051 8c682 48 API calls 94819->95051 94939 740e5 94820->94939 94824 73e4e Mailbox 94821->94824 94824->94693 94825 e1ce9 94830 e1cff SetCurrentDirectoryW 94825->94830 94827 73da0 GetFullPathNameW 94828 76a63 48 API calls 94827->94828 94829 73ddb 94828->94829 94955 76430 94829->94955 94830->94824 94833 73df6 94834 73e00 94833->94834 95052 b71fa AllocateAndInitializeSid CheckTokenMembership FreeSid 94833->95052 94971 73e6e GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 94834->94971 94838 e1d1c 94838->94834 94840 e1d2d 94838->94840 94843 75374 50 API calls 94840->94843 94841 73e0a 94842 73e1f 94841->94842 94979 74ffc 94841->94979 94989 7e8d0 94842->94989 94846 e1d35 94843->94846 94848 7ce19 48 API calls 94846->94848 94849 e1d42 94848->94849 94850 e1d6e 94849->94850 94851 e1d49 94849->94851 94854 7518c 48 API calls 94850->94854 94853 7518c 48 API calls 94851->94853 94855 e1d54 94853->94855 94856 e1d6a GetForegroundWindow ShellExecuteW 94854->94856 95053 7510d 94855->95053 94860 e1d9e Mailbox 94856->94860 94860->94818 94861 7518c 48 API calls 94861->94856 94862->94801 94863->94806 94864->94808 95062 8e99b 94865->95062 94869 761eb 94870 75374 50 API calls 94869->94870 94871 761ff 94870->94871 94872 7ce19 48 API calls 94871->94872 94873 7620c 94872->94873 95079 739db 94873->95079 94875 76216 Mailbox 94876 76eed 48 API calls 94875->94876 94877 7622b 94876->94877 95091 79048 94877->95091 94880 7ce19 48 API calls 94881 76244 94880->94881 95094 7d6e9 94881->95094 94883 76254 Mailbox 94884 7ce19 48 API calls 94883->94884 94885 7627c 94884->94885 94886 7d6e9 55 API calls 94885->94886 94887 7628f Mailbox 94886->94887 94888 7ce19 48 API calls 94887->94888 94889 762a0 94888->94889 95098 7d645 94889->95098 94891 762b2 Mailbox 94892 7d7f7 48 API calls 94891->94892 94893 762c5 94892->94893 95108 763fc 94893->95108 94897 762df 94898 e1c08 94897->94898 94899 762e9 94897->94899 94900 763fc 48 API calls 94898->94900 94901 90fa7 _W_store_winword 59 API calls 94899->94901 94902 e1c1c 94900->94902 94903 762f4 94901->94903 94906 763fc 48 API calls 94902->94906 94903->94902 94904 762fe 94903->94904 94905 90fa7 _W_store_winword 59 API calls 94904->94905 94907 76309 94905->94907 94908 e1c38 94906->94908 94907->94908 94909 76313 94907->94909 94911 75374 50 API calls 94908->94911 94910 90fa7 _W_store_winword 59 API calls 94909->94910 94912 7631e 94910->94912 94913 e1c5d 94911->94913 94915 7635f 94912->94915 94917 e1c86 94912->94917 94920 763fc 48 API calls 94912->94920 94914 763fc 48 API calls 94913->94914 94916 e1c69 94914->94916 94915->94917 94918 7636c 94915->94918 94919 76eed 48 API calls 94916->94919 94921 76eed 48 API calls 94917->94921 94922 8c050 48 API calls 94918->94922 94923 e1c77 94919->94923 94924 76342 94920->94924 94925 e1ca8 94921->94925 94926 76384 94922->94926 94927 763fc 48 API calls 94923->94927 94928 76eed 48 API calls 94924->94928 94929 763fc 48 API calls 94925->94929 94930 81b90 48 API calls 94926->94930 94927->94917 94931 76350 94928->94931 94932 e1cb5 94929->94932 94936 76394 94930->94936 94933 763fc 48 API calls 94931->94933 94932->94932 94933->94915 94934 81b90 48 API calls 94934->94936 94936->94934 94937 763fc 48 API calls 94936->94937 94938 763d6 Mailbox 94936->94938 95124 76b68 48 API calls 94936->95124 94937->94936 94938->94815 94940 740f2 __ftell_nolock 94939->94940 94941 e370e _memset 94940->94941 94942 7410b 94940->94942 94945 e372a GetOpenFileNameW 94941->94945 94943 7660f 49 API calls 94942->94943 94944 74114 94943->94944 95648 740a7 94944->95648 94946 e3779 94945->94946 94948 76a63 48 API calls 94946->94948 94950 e378e 94948->94950 94950->94950 94952 74129 95666 74139 94952->95666 94956 7643d __ftell_nolock 94955->94956 95871 74c75 94956->95871 94958 76442 94970 73dee 94958->94970 95882 75928 86 API calls 94958->95882 94960 7644f 94960->94970 95883 75798 88 API calls Mailbox 94960->95883 94962 76458 94963 7645c GetFullPathNameW 94962->94963 94962->94970 94964 76a63 48 API calls 94963->94964 94965 76488 94964->94965 94966 76a63 48 API calls 94965->94966 94968 76495 94966->94968 94967 e5dcf _wcscat 94968->94967 94969 76a63 48 API calls 94968->94969 94969->94970 94970->94825 94970->94833 94972 e1cba 94971->94972 94973 73ed8 94971->94973 95929 74024 94973->95929 94977 73e05 94978 736b8 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 94977->94978 94978->94841 94980 75027 _memset 94979->94980 95934 74c30 94980->95934 94983 750ac 94985 e3d28 Shell_NotifyIconW 94983->94985 94986 750ca Shell_NotifyIconW 94983->94986 95938 751af 94986->95938 94988 750df 94988->94842 94990 7e8f6 94989->94990 95049 7e906 Mailbox 94989->95049 94992 7ed52 94990->94992 94990->95049 94991 bcc5c 86 API calls 94991->95049 96119 8e3cd 335 API calls 94992->96119 94994 73e2a 94994->94818 95050 73847 Shell_NotifyIconW _memset 94994->95050 94996 7ed63 94996->94994 94998 7ed70 94996->94998 94997 7e94c PeekMessageW 94997->95049 96121 8e312 335 API calls Mailbox 94998->96121 95000 e526e Sleep 95000->95049 95001 7ed77 LockWindowUpdate DestroyWindow GetMessageW 95001->94994 95004 7eda9 95001->95004 95002 7ebc7 95002->94994 96120 72ff6 16 API calls 95002->96120 95006 e59ef TranslateMessage DispatchMessageW GetMessageW 95004->95006 95006->95006 95007 e5a1f 95006->95007 95007->94994 95008 7ed21 PeekMessageW 95008->95049 95009 7ebf7 timeGetTime 95009->95049 95011 76eed 48 API calls 95011->95049 95012 7ed3a TranslateMessage DispatchMessageW 95012->95008 95013 e5557 WaitForSingleObject 95018 e5574 GetExitCodeProcess CloseHandle 95013->95018 95013->95049 95014 8f4ea 48 API calls 95014->95049 95015 7d7f7 48 API calls 95045 e5429 Mailbox 95015->95045 95016 72aae 311 API calls 95016->95049 95017 e588f Sleep 95017->95045 95018->95049 95019 7edae timeGetTime 96122 71caa 49 API calls 95019->96122 95022 e5733 Sleep 95022->95045 95023 8dc38 timeGetTime 95023->95045 95026 e5926 GetExitCodeProcess 95027 e593c WaitForSingleObject 95026->95027 95028 e5952 CloseHandle 95026->95028 95027->95028 95027->95049 95028->95045 95029 e5445 Sleep 95029->95049 95030 72c79 107 API calls 95030->95045 95032 e5432 Sleep 95032->95029 95033 d8c4b 108 API calls 95033->95045 95034 e59ae Sleep 95034->95049 95035 71caa 49 API calls 95035->95049 95037 7ce19 48 API calls 95037->95045 95040 7fe30 311 API calls 95040->95049 95041 7d6e9 55 API calls 95041->95045 95045->95015 95045->95023 95045->95026 95045->95029 95045->95030 95045->95032 95045->95033 95045->95034 95045->95037 95045->95041 95045->95049 96124 b4cbe 49 API calls Mailbox 95045->96124 96125 71caa 49 API calls 95045->96125 96126 72aae 335 API calls 95045->96126 96127 cccb2 50 API calls 95045->96127 96128 b7a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 95045->96128 96129 b6532 63 API calls 3 library calls 95045->96129 95047 7ce19 48 API calls 95047->95049 95048 7d6e9 55 API calls 95048->95049 95049->94991 95049->94997 95049->95000 95049->95002 95049->95008 95049->95009 95049->95011 95049->95012 95049->95013 95049->95014 95049->95016 95049->95017 95049->95019 95049->95022 95049->95029 95049->95035 95049->95040 95049->95045 95049->95047 95049->95048 95961 7f110 95049->95961 96026 845e0 95049->96026 96043 83200 95049->96043 96115 7eed0 335 API calls Mailbox 95049->96115 96116 7ef00 335 API calls 95049->96116 96117 8e244 TranslateAcceleratorW 95049->96117 96118 8dc5f IsDialogMessageW GetClassLongW 95049->96118 96123 d8d23 48 API calls 95049->96123 95050->94818 95051->94825 95052->94838 95054 7511f 95053->95054 95055 e1be7 95053->95055 95056 7b384 48 API calls 95054->95056 96367 aa58f 48 API calls _memcpy_s 95055->96367 95058 7512b 95056->95058 95058->94861 95059 e1bf1 95060 76eed 48 API calls 95059->95060 95061 e1bf9 Mailbox 95060->95061 95063 7d7f7 48 API calls 95062->95063 95064 761db 95063->95064 95065 76009 95064->95065 95066 76016 __ftell_nolock 95065->95066 95067 76a63 48 API calls 95066->95067 95073 7617c Mailbox 95066->95073 95069 76048 95067->95069 95078 7607e Mailbox 95069->95078 95125 761a6 95069->95125 95070 761a6 48 API calls 95070->95078 95071 7614f 95072 7ce19 48 API calls 95071->95072 95071->95073 95075 76170 95072->95075 95073->94869 95074 7ce19 48 API calls 95074->95078 95076 764cf 48 API calls 95075->95076 95076->95073 95077 764cf 48 API calls 95077->95078 95078->95070 95078->95071 95078->95073 95078->95074 95078->95077 95128 741a9 95079->95128 95082 73a06 95082->94875 95085 e2ff0 95087 91c9d _free 47 API calls 95085->95087 95088 e2ffd 95087->95088 95089 74252 84 API calls 95088->95089 95090 e3006 95089->95090 95090->95090 95092 8f4ea 48 API calls 95091->95092 95093 76237 95092->95093 95093->94880 95095 7d6f4 95094->95095 95097 7d71b 95095->95097 95641 7d764 55 API calls 95095->95641 95097->94883 95099 7d654 95098->95099 95107 7d67e 95098->95107 95100 7d65b 95099->95100 95104 7d6c2 95099->95104 95101 7d6ab 95100->95101 95102 7d666 95100->95102 95101->95107 95643 8dce0 53 API calls 95101->95643 95642 7d9a0 53 API calls __cinit 95102->95642 95104->95101 95644 8dce0 53 API calls 95104->95644 95107->94891 95109 76406 95108->95109 95110 7641f 95108->95110 95111 76eed 48 API calls 95109->95111 95112 76a63 48 API calls 95110->95112 95113 762d1 95111->95113 95112->95113 95114 90fa7 95113->95114 95115 91028 95114->95115 95116 90fb3 95114->95116 95647 9103a 59 API calls 3 library calls 95115->95647 95123 90fd8 95116->95123 95645 97c0e 47 API calls __getptd_noexit 95116->95645 95119 91035 95119->94897 95120 90fbf 95646 96e10 8 API calls __wsplitpath_helper 95120->95646 95122 90fca 95122->94897 95123->94897 95124->94936 95126 7bdfa 48 API calls 95125->95126 95127 761b1 95126->95127 95127->95069 95193 74214 95128->95193 95133 741d4 LoadLibraryExW 95203 74291 95133->95203 95134 e4f73 95136 74252 84 API calls 95134->95136 95138 e4f7a 95136->95138 95140 74291 3 API calls 95138->95140 95142 e4f82 95140->95142 95141 741fb 95141->95142 95143 74207 95141->95143 95229 744ed 95142->95229 95145 74252 84 API calls 95143->95145 95147 739fe 95145->95147 95147->95082 95152 bc396 95147->95152 95149 e4fa9 95237 74950 95149->95237 95151 e4fb6 95153 74517 83 API calls 95152->95153 95154 bc405 95153->95154 95415 bc56d 95154->95415 95157 744ed 64 API calls 95158 bc432 95157->95158 95159 744ed 64 API calls 95158->95159 95160 bc442 95159->95160 95161 744ed 64 API calls 95160->95161 95162 bc45d 95161->95162 95163 744ed 64 API calls 95162->95163 95164 bc478 95163->95164 95165 74517 83 API calls 95164->95165 95166 bc48f 95165->95166 95167 9395c std::exception::_Copy_str 47 API calls 95166->95167 95168 bc496 95167->95168 95169 9395c std::exception::_Copy_str 47 API calls 95168->95169 95170 bc4a0 95169->95170 95171 744ed 64 API calls 95170->95171 95172 bc4b4 95171->95172 95173 bbf5a GetSystemTimeAsFileTime 95172->95173 95174 bc4c7 95173->95174 95175 bc4dc 95174->95175 95176 bc4f1 95174->95176 95177 91c9d _free 47 API calls 95175->95177 95178 bc4f7 95176->95178 95179 bc556 95176->95179 95181 bc4e2 95177->95181 95421 bb965 118 API calls __fcloseall 95178->95421 95180 91c9d _free 47 API calls 95179->95180 95185 bc41b 95180->95185 95183 91c9d _free 47 API calls 95181->95183 95183->95185 95184 bc54e 95186 91c9d _free 47 API calls 95184->95186 95185->95085 95187 74252 95185->95187 95186->95185 95188 74263 95187->95188 95189 7425c 95187->95189 95191 74283 FreeLibrary 95188->95191 95192 74272 95188->95192 95422 935e4 95189->95422 95191->95192 95192->95085 95242 74339 95193->95242 95197 74244 FreeLibrary 95198 741bb 95197->95198 95200 93499 95198->95200 95199 7423c 95199->95197 95199->95198 95250 934ae 95200->95250 95202 741c8 95202->95133 95202->95134 95329 742e4 95203->95329 95206 742b8 95208 742c1 FreeLibrary 95206->95208 95209 741ec 95206->95209 95208->95209 95210 74380 95209->95210 95211 8f4ea 48 API calls 95210->95211 95212 74395 95211->95212 95213 747b7 48 API calls 95212->95213 95214 743a1 _memcpy_s 95213->95214 95215 743dc 95214->95215 95217 744d1 95214->95217 95218 74499 95214->95218 95216 74950 57 API calls 95215->95216 95221 743e5 95216->95221 95348 bc750 93 API calls 95217->95348 95337 7406b CreateStreamOnHGlobal 95218->95337 95222 744ed 64 API calls 95221->95222 95224 74479 95221->95224 95225 e4ed7 95221->95225 95343 74517 95221->95343 95222->95221 95224->95141 95226 74517 83 API calls 95225->95226 95227 e4eeb 95226->95227 95228 744ed 64 API calls 95227->95228 95228->95224 95230 744ff 95229->95230 95231 e4fc0 95229->95231 95372 9381e 95230->95372 95234 bbf5a 95392 bbdb4 95234->95392 95236 bbf70 95236->95149 95238 7495f 95237->95238 95239 e5002 95237->95239 95397 93e65 95238->95397 95241 74967 95241->95151 95246 7434b 95242->95246 95245 74321 LoadLibraryA GetProcAddress 95245->95199 95247 7422f 95246->95247 95248 74354 LoadLibraryA 95246->95248 95247->95199 95247->95245 95248->95247 95249 74365 GetProcAddress 95248->95249 95249->95247 95253 934ba __setmbcp 95250->95253 95251 934cd 95298 97c0e 47 API calls __getptd_noexit 95251->95298 95253->95251 95255 934fe 95253->95255 95254 934d2 95299 96e10 8 API calls __wsplitpath_helper 95254->95299 95269 9e4c8 95255->95269 95258 93503 95259 93519 95258->95259 95260 9350c 95258->95260 95262 93543 95259->95262 95263 93523 95259->95263 95300 97c0e 47 API calls __getptd_noexit 95260->95300 95283 9e5e0 95262->95283 95301 97c0e 47 API calls __getptd_noexit 95263->95301 95268 934dd @_EH4_CallFilterFunc@8 __setmbcp 95268->95202 95270 9e4d4 __setmbcp 95269->95270 95271 97cf4 __lock 47 API calls 95270->95271 95281 9e4e2 95271->95281 95272 9e552 95303 9e5d7 95272->95303 95273 9e559 95308 969d0 47 API calls std::exception::_Copy_str 95273->95308 95276 9e560 95276->95272 95278 9e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 95276->95278 95277 9e5cc __setmbcp 95277->95258 95278->95272 95279 97d7c __mtinitlocknum 47 API calls 95279->95281 95281->95272 95281->95273 95281->95279 95306 94e5b 48 API calls __lock 95281->95306 95307 94ec5 LeaveCriticalSection LeaveCriticalSection _doexit 95281->95307 95292 9e600 __wopenfile 95283->95292 95284 9e61a 95313 97c0e 47 API calls __getptd_noexit 95284->95313 95285 9e7d5 95285->95284 95289 9e838 95285->95289 95287 9e61f 95314 96e10 8 API calls __wsplitpath_helper 95287->95314 95310 a63c9 95289->95310 95290 9354e 95302 93570 LeaveCriticalSection LeaveCriticalSection _fseek 95290->95302 95292->95284 95292->95285 95315 9185b 59 API calls 2 library calls 95292->95315 95294 9e7ce 95294->95285 95316 9185b 59 API calls 2 library calls 95294->95316 95296 9e7ed 95296->95285 95317 9185b 59 API calls 2 library calls 95296->95317 95298->95254 95299->95268 95300->95268 95301->95268 95302->95268 95309 97e58 LeaveCriticalSection 95303->95309 95305 9e5de 95305->95277 95306->95281 95307->95281 95308->95276 95309->95305 95318 a5bb1 95310->95318 95312 a63e2 95312->95290 95313->95287 95314->95290 95315->95294 95316->95296 95317->95285 95319 a5bbd __setmbcp 95318->95319 95320 a5bcf 95319->95320 95323 a5c06 95319->95323 95321 97c0e __wsplitpath_helper 47 API calls 95320->95321 95322 a5bd4 95321->95322 95324 96e10 __wsplitpath_helper 8 API calls 95322->95324 95325 a5c78 __wsopen_helper 110 API calls 95323->95325 95328 a5bde __setmbcp 95324->95328 95326 a5c23 95325->95326 95327 a5c4c __wsopen_helper LeaveCriticalSection 95326->95327 95327->95328 95328->95312 95333 742f6 95329->95333 95332 742cc LoadLibraryA GetProcAddress 95332->95206 95334 742aa 95333->95334 95335 742ff LoadLibraryA 95333->95335 95334->95206 95334->95332 95335->95334 95336 74310 GetProcAddress 95335->95336 95336->95334 95338 74085 FindResourceExW 95337->95338 95342 740a2 95337->95342 95339 e4f16 LoadResource 95338->95339 95338->95342 95340 e4f2b SizeofResource 95339->95340 95339->95342 95341 e4f3f LockResource 95340->95341 95340->95342 95341->95342 95342->95215 95344 74526 95343->95344 95347 e4fe0 95343->95347 95349 93a8d 95344->95349 95346 74534 95346->95221 95348->95215 95350 93a99 __setmbcp 95349->95350 95351 93aa7 95350->95351 95352 93acd 95350->95352 95362 97c0e 47 API calls __getptd_noexit 95351->95362 95364 94e1c 95352->95364 95355 93aac 95363 96e10 8 API calls __wsplitpath_helper 95355->95363 95356 93ad3 95370 939fe 81 API calls 4 library calls 95356->95370 95359 93ae2 95371 93b04 LeaveCriticalSection LeaveCriticalSection _fseek 95359->95371 95361 93ab7 __setmbcp 95361->95346 95362->95355 95363->95361 95365 94e2c 95364->95365 95366 94e4e EnterCriticalSection 95364->95366 95365->95366 95367 94e34 95365->95367 95368 94e44 95366->95368 95369 97cf4 __lock 47 API calls 95367->95369 95368->95356 95369->95368 95370->95359 95371->95361 95375 93839 95372->95375 95374 74510 95374->95234 95376 93845 __setmbcp 95375->95376 95377 93888 95376->95377 95378 9385b _memset 95376->95378 95387 93880 __setmbcp 95376->95387 95379 94e1c __lock_file 48 API calls 95377->95379 95388 97c0e 47 API calls __getptd_noexit 95378->95388 95381 9388e 95379->95381 95390 9365b 62 API calls 5 library calls 95381->95390 95382 93875 95389 96e10 8 API calls __wsplitpath_helper 95382->95389 95385 938a4 95391 938c2 LeaveCriticalSection LeaveCriticalSection _fseek 95385->95391 95387->95374 95388->95382 95389->95387 95390->95385 95391->95387 95395 9344a GetSystemTimeAsFileTime 95392->95395 95394 bbdc3 95394->95236 95396 93478 __aulldiv 95395->95396 95396->95394 95398 93e71 __setmbcp 95397->95398 95399 93e7f 95398->95399 95400 93e94 95398->95400 95411 97c0e 47 API calls __getptd_noexit 95399->95411 95401 94e1c __lock_file 48 API calls 95400->95401 95403 93e9a 95401->95403 95413 93b0c 55 API calls 5 library calls 95403->95413 95404 93e84 95412 96e10 8 API calls __wsplitpath_helper 95404->95412 95407 93ea5 95414 93ec5 LeaveCriticalSection LeaveCriticalSection _fseek 95407->95414 95408 93e8f __setmbcp 95408->95241 95410 93eb7 95410->95408 95411->95404 95412->95408 95413->95407 95414->95410 95416 bc581 __tzset_nolock _wcscmp 95415->95416 95417 bc417 95416->95417 95418 744ed 64 API calls 95416->95418 95419 bbf5a GetSystemTimeAsFileTime 95416->95419 95420 74517 83 API calls 95416->95420 95417->95157 95417->95185 95418->95416 95419->95416 95420->95416 95421->95184 95423 935f0 __setmbcp 95422->95423 95424 9361c 95423->95424 95425 93604 95423->95425 95427 94e1c __lock_file 48 API calls 95424->95427 95432 93614 __setmbcp 95424->95432 95451 97c0e 47 API calls __getptd_noexit 95425->95451 95429 9362e 95427->95429 95428 93609 95452 96e10 8 API calls __wsplitpath_helper 95428->95452 95435 93578 95429->95435 95432->95188 95436 9359b 95435->95436 95437 93587 95435->95437 95438 93597 95436->95438 95454 92c84 95436->95454 95494 97c0e 47 API calls __getptd_noexit 95437->95494 95453 93653 LeaveCriticalSection LeaveCriticalSection _fseek 95438->95453 95441 9358c 95495 96e10 8 API calls __wsplitpath_helper 95441->95495 95447 935b5 95471 9e9d2 95447->95471 95449 935bb 95449->95438 95450 91c9d _free 47 API calls 95449->95450 95450->95438 95451->95428 95452->95432 95453->95432 95455 92c97 95454->95455 95459 92cbb 95454->95459 95456 92933 __stbuf 47 API calls 95455->95456 95455->95459 95457 92cb4 95456->95457 95496 9af61 95457->95496 95460 9eb36 95459->95460 95461 935af 95460->95461 95462 9eb43 95460->95462 95464 92933 95461->95464 95462->95461 95463 91c9d _free 47 API calls 95462->95463 95463->95461 95465 9293d 95464->95465 95466 92952 95464->95466 95602 97c0e 47 API calls __getptd_noexit 95465->95602 95466->95447 95468 92942 95603 96e10 8 API calls __wsplitpath_helper 95468->95603 95470 9294d 95470->95447 95472 9e9de __setmbcp 95471->95472 95473 9e9e6 95472->95473 95478 9e9fe 95472->95478 95619 97bda 47 API calls __getptd_noexit 95473->95619 95475 9ea7b 95623 97bda 47 API calls __getptd_noexit 95475->95623 95476 9e9eb 95620 97c0e 47 API calls __getptd_noexit 95476->95620 95478->95475 95481 9ea28 95478->95481 95480 9ea80 95624 97c0e 47 API calls __getptd_noexit 95480->95624 95483 9a8ed ___lock_fhandle 49 API calls 95481->95483 95485 9ea2e 95483->95485 95484 9ea88 95625 96e10 8 API calls __wsplitpath_helper 95484->95625 95487 9ea4c 95485->95487 95488 9ea41 95485->95488 95621 97c0e 47 API calls __getptd_noexit 95487->95621 95604 9ea9c 95488->95604 95489 9e9f3 __setmbcp 95489->95449 95492 9ea47 95622 9ea73 LeaveCriticalSection __unlock_fhandle 95492->95622 95494->95441 95495->95438 95497 9af6d __setmbcp 95496->95497 95498 9af8d 95497->95498 95499 9af75 95497->95499 95501 9b022 95498->95501 95506 9afbf 95498->95506 95594 97bda 47 API calls __getptd_noexit 95499->95594 95599 97bda 47 API calls __getptd_noexit 95501->95599 95502 9af7a 95595 97c0e 47 API calls __getptd_noexit 95502->95595 95505 9b027 95600 97c0e 47 API calls __getptd_noexit 95505->95600 95521 9a8ed 95506->95521 95509 9b02f 95601 96e10 8 API calls __wsplitpath_helper 95509->95601 95510 9afc5 95512 9afd8 95510->95512 95513 9afeb 95510->95513 95530 9b043 95512->95530 95596 97c0e 47 API calls __getptd_noexit 95513->95596 95514 9af82 __setmbcp 95514->95459 95517 9afe4 95598 9b01a LeaveCriticalSection __unlock_fhandle 95517->95598 95518 9aff0 95597 97bda 47 API calls __getptd_noexit 95518->95597 95523 9a8f9 __setmbcp 95521->95523 95522 9a946 EnterCriticalSection 95525 9a96c __setmbcp 95522->95525 95523->95522 95524 97cf4 __lock 47 API calls 95523->95524 95526 9a91d 95524->95526 95525->95510 95527 9a928 InitializeCriticalSectionAndSpinCount 95526->95527 95528 9a93a 95526->95528 95527->95528 95529 9a970 ___lock_fhandle LeaveCriticalSection 95528->95529 95529->95522 95531 9b050 __ftell_nolock 95530->95531 95532 9b08d 95531->95532 95533 9b0ac 95531->95533 95565 9b082 95531->95565 95535 97bda __free_osfhnd 47 API calls 95532->95535 95536 9b105 95533->95536 95537 9b0e9 95533->95537 95534 9a70c __NMSG_WRITE 6 API calls 95538 9b86b 95534->95538 95539 9b092 95535->95539 95540 9b11c 95536->95540 95543 9f82f __lseeki64_nolock 49 API calls 95536->95543 95542 97bda __free_osfhnd 47 API calls 95537->95542 95538->95517 95541 97c0e __wsplitpath_helper 47 API calls 95539->95541 95545 a3bf2 __stbuf 47 API calls 95540->95545 95544 9b099 95541->95544 95546 9b0ee 95542->95546 95543->95540 95547 96e10 __wsplitpath_helper 8 API calls 95544->95547 95548 9b12a 95545->95548 95549 97c0e __wsplitpath_helper 47 API calls 95546->95549 95547->95565 95550 9b44b 95548->95550 95557 97a0d _wcstok 47 API calls 95548->95557 95551 9b0f5 95549->95551 95552 9b7b8 WriteFile 95550->95552 95553 9b463 95550->95553 95554 96e10 __wsplitpath_helper 8 API calls 95551->95554 95555 9b7e1 GetLastError 95552->95555 95556 9b410 95552->95556 95558 9b479 95553->95558 95559 9b55a 95553->95559 95554->95565 95555->95556 95563 9b81b 95556->95563 95556->95565 95571 9b7f7 95556->95571 95562 9b150 GetConsoleMode 95557->95562 95558->95563 95568 9b4e9 WriteFile 95558->95568 95560 9b663 95559->95560 95561 9b565 95559->95561 95560->95563 95572 9b6d8 WideCharToMultiByte 95560->95572 95561->95563 95576 9b5de WriteFile 95561->95576 95562->95550 95564 9b189 95562->95564 95563->95565 95566 97c0e __wsplitpath_helper 47 API calls 95563->95566 95564->95550 95567 9b199 GetConsoleCP 95564->95567 95565->95534 95570 9b843 95566->95570 95567->95556 95592 9b1c2 95567->95592 95568->95555 95569 9b526 95568->95569 95569->95556 95569->95558 95577 9b555 95569->95577 95573 97bda __free_osfhnd 47 API calls 95570->95573 95574 9b7fe 95571->95574 95575 9b812 95571->95575 95572->95555 95587 9b71f 95572->95587 95573->95565 95578 97c0e __wsplitpath_helper 47 API calls 95574->95578 95579 97bed __dosmaperr 47 API calls 95575->95579 95576->95555 95580 9b62d 95576->95580 95577->95556 95582 9b803 95578->95582 95579->95565 95580->95556 95580->95561 95580->95577 95581 9b727 WriteFile 95584 9b77a GetLastError 95581->95584 95581->95587 95585 97bda __free_osfhnd 47 API calls 95582->95585 95583 91688 __chsize_nolock 57 API calls 95583->95592 95584->95587 95585->95565 95586 a40f7 59 API calls __chsize_nolock 95586->95592 95587->95556 95587->95560 95587->95577 95587->95581 95588 a5884 WriteConsoleW CreateFileW __chsize_nolock 95590 9b2f6 95588->95590 95589 9b28f WideCharToMultiByte 95589->95556 95591 9b2ca WriteFile 95589->95591 95590->95555 95590->95556 95590->95588 95590->95592 95593 9b321 WriteFile 95590->95593 95591->95555 95591->95590 95592->95556 95592->95583 95592->95586 95592->95589 95592->95590 95593->95555 95593->95590 95594->95502 95595->95514 95596->95518 95597->95517 95598->95514 95599->95505 95600->95509 95601->95514 95602->95468 95603->95470 95626 9aba4 95604->95626 95606 9eb00 95639 9ab1e 48 API calls 2 library calls 95606->95639 95608 9eaaa 95608->95606 95611 9aba4 __close_nolock 47 API calls 95608->95611 95617 9eade 95608->95617 95609 9aba4 __close_nolock 47 API calls 95613 9eaea CloseHandle 95609->95613 95610 9eb08 95618 9eb2a 95610->95618 95640 97bed 47 API calls 3 library calls 95610->95640 95612 9ead5 95611->95612 95614 9aba4 __close_nolock 47 API calls 95612->95614 95613->95606 95615 9eaf6 GetLastError 95613->95615 95614->95617 95615->95606 95617->95606 95617->95609 95618->95492 95619->95476 95620->95489 95621->95492 95622->95489 95623->95480 95624->95484 95625->95489 95627 9abaf 95626->95627 95631 9abc4 95626->95631 95628 97bda __free_osfhnd 47 API calls 95627->95628 95630 9abb4 95628->95630 95629 97bda __free_osfhnd 47 API calls 95632 9abf3 95629->95632 95633 97c0e __wsplitpath_helper 47 API calls 95630->95633 95631->95629 95634 9abe9 95631->95634 95635 97c0e __wsplitpath_helper 47 API calls 95632->95635 95636 9abbc 95633->95636 95634->95608 95637 9abfb 95635->95637 95636->95608 95638 96e10 __wsplitpath_helper 8 API calls 95637->95638 95638->95636 95639->95610 95640->95618 95641->95097 95642->95107 95643->95107 95644->95101 95645->95120 95646->95122 95647->95119 95649 9f8a0 __ftell_nolock 95648->95649 95650 740b4 GetLongPathNameW 95649->95650 95651 76a63 48 API calls 95650->95651 95652 740dc 95651->95652 95653 749a0 95652->95653 95654 7d7f7 48 API calls 95653->95654 95655 749b2 95654->95655 95656 7660f 49 API calls 95655->95656 95657 749bd 95656->95657 95658 749c8 95657->95658 95662 e2e35 95657->95662 95659 764cf 48 API calls 95658->95659 95661 749d4 95659->95661 95700 728a6 95661->95700 95664 e2e4f 95662->95664 95706 8d35e 60 API calls 95662->95706 95665 749e7 Mailbox 95665->94952 95667 741a9 136 API calls 95666->95667 95668 7415e 95667->95668 95669 e3489 95668->95669 95670 741a9 136 API calls 95668->95670 95671 bc396 122 API calls 95669->95671 95672 74172 95670->95672 95673 e349e 95671->95673 95672->95669 95674 7417a 95672->95674 95675 e34bf 95673->95675 95676 e34a2 95673->95676 95678 74186 95674->95678 95679 e34aa 95674->95679 95677 8f4ea 48 API calls 95675->95677 95680 74252 84 API calls 95676->95680 95699 e3504 Mailbox 95677->95699 95707 7c833 95678->95707 95804 b6b49 87 API calls _wprintf 95679->95804 95680->95679 95683 e34b8 95683->95675 95685 e36b4 95686 91c9d _free 47 API calls 95685->95686 95687 e36bc 95686->95687 95688 74252 84 API calls 95687->95688 95693 e36c5 95688->95693 95692 91c9d _free 47 API calls 95692->95693 95693->95692 95695 74252 84 API calls 95693->95695 95808 b25b5 86 API calls 4 library calls 95693->95808 95695->95693 95696 7ce19 48 API calls 95696->95699 95699->95685 95699->95693 95699->95696 95795 b2551 95699->95795 95798 b9c12 95699->95798 95805 b2472 60 API calls 2 library calls 95699->95805 95806 7ba85 48 API calls _memcpy_s 95699->95806 95807 74dd9 48 API calls 95699->95807 95701 728b8 95700->95701 95705 728d7 _memcpy_s 95700->95705 95704 8f4ea 48 API calls 95701->95704 95702 8f4ea 48 API calls 95703 728ee 95702->95703 95703->95665 95704->95705 95705->95702 95706->95662 95708 7c843 __ftell_nolock 95707->95708 95709 7c860 95708->95709 95710 e3095 95708->95710 95814 748ba 49 API calls 95709->95814 95833 b25b5 86 API calls 4 library calls 95710->95833 95713 e30a8 95834 b25b5 86 API calls 4 library calls 95713->95834 95714 7c882 95815 74550 56 API calls 95714->95815 95716 7c897 95716->95713 95718 7c89f 95716->95718 95720 7d7f7 48 API calls 95718->95720 95719 e30c4 95722 7c90c 95719->95722 95721 7c8ab 95720->95721 95816 8e968 49 API calls __ftell_nolock 95721->95816 95724 e30d7 95722->95724 95725 7c91a 95722->95725 95728 74907 CloseHandle 95724->95728 95819 91dfc 95725->95819 95726 7c8b7 95729 7d7f7 48 API calls 95726->95729 95730 e30e3 95728->95730 95731 7c8c3 95729->95731 95732 741a9 136 API calls 95730->95732 95733 7660f 49 API calls 95731->95733 95734 e310d 95732->95734 95735 7c8d1 95733->95735 95738 e3136 95734->95738 95742 bc396 122 API calls 95734->95742 95817 8eb66 SetFilePointerEx ReadFile 95735->95817 95737 7c943 _wcscat _wcscpy 95741 7c96d SetCurrentDirectoryW 95737->95741 95835 b25b5 86 API calls 4 library calls 95738->95835 95739 7c8fd 95818 746ce SetFilePointerEx SetFilePointerEx 95739->95818 95745 8f4ea 48 API calls 95741->95745 95746 e3129 95742->95746 95744 e314d 95755 7cad1 Mailbox 95744->95755 95747 7c988 95745->95747 95748 e3152 95746->95748 95749 e3131 95746->95749 95752 747b7 48 API calls 95747->95752 95751 74252 84 API calls 95748->95751 95750 74252 84 API calls 95749->95750 95750->95738 95753 e3157 95751->95753 95754 7c993 Mailbox __NMSG_WRITE 95752->95754 95756 8f4ea 48 API calls 95753->95756 95757 7ca9d 95754->95757 95768 e3467 95754->95768 95776 e345f 95754->95776 95779 7ce19 48 API calls 95754->95779 95822 7b337 56 API calls _wcscpy 95754->95822 95823 8c258 GetStringTypeW 95754->95823 95824 7cb93 59 API calls __wcsnicmp 95754->95824 95825 7cb5a GetStringTypeW __NMSG_WRITE 95754->95825 95826 916d0 GetStringTypeW __towlower_l 95754->95826 95827 7cc24 162 API calls 3 library calls 95754->95827 95828 8c682 48 API calls 95754->95828 95809 748dd 95755->95809 95758 e3194 95756->95758 95829 74907 95757->95829 95836 7ba85 48 API calls _memcpy_s 95758->95836 95762 73d98 95762->94818 95762->94827 95763 7caa9 SetCurrentDirectoryW 95763->95755 95767 e33ce 95840 b9b72 48 API calls 95767->95840 95844 b25b5 86 API calls 4 library calls 95768->95844 95772 e3480 95772->95757 95773 e33f0 95841 d29e8 48 API calls _memcpy_s 95773->95841 95775 e33fd 95777 91c9d _free 47 API calls 95775->95777 95843 b240b 48 API calls 3 library calls 95776->95843 95777->95755 95779->95754 95784 b2551 48 API calls 95792 e31dd Mailbox 95784->95792 95786 7ce19 48 API calls 95786->95792 95788 b9c12 48 API calls 95788->95792 95789 e3420 95842 b25b5 86 API calls 4 library calls 95789->95842 95791 e3439 95793 91c9d _free 47 API calls 95791->95793 95792->95767 95792->95784 95792->95786 95792->95788 95792->95789 95837 b2472 60 API calls 2 library calls 95792->95837 95838 7ba85 48 API calls _memcpy_s 95792->95838 95839 8c682 48 API calls 95792->95839 95794 e344c 95793->95794 95794->95755 95796 8f4ea 48 API calls 95795->95796 95797 b2581 _memcpy_s 95796->95797 95797->95699 95799 b9c1d 95798->95799 95800 8f4ea 48 API calls 95799->95800 95801 b9c34 95800->95801 95802 b9c43 95801->95802 95803 7ce19 48 API calls 95801->95803 95802->95699 95803->95802 95804->95683 95805->95699 95806->95699 95807->95699 95808->95693 95810 74907 CloseHandle 95809->95810 95811 748e5 Mailbox 95810->95811 95812 74907 CloseHandle 95811->95812 95813 748fc 95812->95813 95813->95762 95814->95714 95815->95716 95816->95726 95817->95739 95818->95722 95845 91e46 95819->95845 95822->95754 95823->95754 95824->95754 95825->95754 95826->95754 95827->95754 95828->95754 95830 74911 95829->95830 95831 74920 95829->95831 95830->95763 95831->95830 95832 74925 CloseHandle 95831->95832 95832->95830 95833->95713 95834->95719 95835->95744 95836->95792 95837->95792 95838->95792 95839->95792 95840->95773 95841->95775 95842->95791 95843->95768 95844->95772 95846 91e61 95845->95846 95849 91e55 95845->95849 95869 97c0e 47 API calls __getptd_noexit 95846->95869 95848 92019 95851 91e41 95848->95851 95870 96e10 8 API calls __wsplitpath_helper 95848->95870 95849->95846 95860 91ed4 95849->95860 95864 99d6b 47 API calls __wsplitpath_helper 95849->95864 95851->95737 95852 91f41 95854 91fa0 95852->95854 95855 91f5f 95852->95855 95854->95846 95854->95851 95856 91fb0 95854->95856 95855->95846 95857 91f7b 95855->95857 95866 99d6b 47 API calls __wsplitpath_helper 95855->95866 95868 99d6b 47 API calls __wsplitpath_helper 95856->95868 95857->95846 95857->95851 95859 91f91 95857->95859 95867 99d6b 47 API calls __wsplitpath_helper 95859->95867 95860->95846 95860->95852 95865 99d6b 47 API calls __wsplitpath_helper 95860->95865 95864->95860 95865->95852 95866->95857 95867->95851 95868->95851 95869->95848 95870->95851 95872 74c8b 95871->95872 95876 74d94 95871->95876 95873 8f4ea 48 API calls 95872->95873 95872->95876 95874 74cb2 95873->95874 95875 8f4ea 48 API calls 95874->95875 95881 74d22 95875->95881 95876->94958 95881->95876 95884 7b470 95881->95884 95912 74dd9 48 API calls 95881->95912 95913 b9af1 48 API calls 95881->95913 95914 7ba85 48 API calls _memcpy_s 95881->95914 95882->94960 95883->94962 95915 76b0f 95884->95915 95886 7b69b 95922 7ba85 48 API calls _memcpy_s 95886->95922 95888 7b6b5 Mailbox 95888->95881 95891 7ba85 48 API calls 95905 7b495 95891->95905 95892 e397b 95926 b26bc 88 API calls 4 library calls 95892->95926 95895 7b9e4 95928 b26bc 88 API calls 4 library calls 95895->95928 95896 e3973 95896->95888 95899 e3989 95927 7ba85 48 API calls _memcpy_s 95899->95927 95900 7bcce 48 API calls 95900->95905 95902 e3909 95904 76b4a 48 API calls 95902->95904 95903 7bb85 48 API calls 95903->95905 95906 e3914 95904->95906 95905->95886 95905->95891 95905->95892 95905->95895 95905->95900 95905->95902 95905->95903 95908 7bdfa 48 API calls 95905->95908 95911 e3939 _memcpy_s 95905->95911 95920 7c413 59 API calls 95905->95920 95921 7bc74 48 API calls 95905->95921 95923 7c6a5 49 API calls 95905->95923 95924 7c799 48 API calls _memcpy_s 95905->95924 95910 8f4ea 48 API calls 95906->95910 95909 7b66c CharUpperBuffW 95908->95909 95909->95905 95910->95911 95925 b26bc 88 API calls 4 library calls 95911->95925 95912->95881 95913->95881 95914->95881 95916 8f4ea 48 API calls 95915->95916 95917 76b34 95916->95917 95918 76b4a 48 API calls 95917->95918 95919 76b43 95918->95919 95919->95905 95920->95905 95921->95905 95922->95888 95923->95905 95924->95905 95925->95896 95926->95899 95927->95896 95928->95896 95930 e418d EnumResourceNamesW 95929->95930 95931 7403c LoadImageW 95929->95931 95932 73ee1 RegisterClassExW 95930->95932 95931->95932 95933 73f53 7 API calls 95932->95933 95933->94977 95935 74c44 95934->95935 95936 e3c33 95934->95936 95935->94983 95960 b5819 61 API calls _W_store_winword 95935->95960 95936->95935 95937 e3c3c DestroyIcon 95936->95937 95937->95935 95939 752a2 Mailbox 95938->95939 95940 751cb 95938->95940 95939->94988 95941 76b0f 48 API calls 95940->95941 95942 751d9 95941->95942 95943 751e6 95942->95943 95944 e3ca1 LoadStringW 95942->95944 95945 76a63 48 API calls 95943->95945 95947 e3cbb 95944->95947 95946 751fb 95945->95946 95946->95947 95948 7520c 95946->95948 95949 7510d 48 API calls 95947->95949 95950 752a7 95948->95950 95951 75216 95948->95951 95954 e3cc5 95949->95954 95952 76eed 48 API calls 95950->95952 95953 7510d 48 API calls 95951->95953 95957 75220 _memset _wcscpy 95952->95957 95953->95957 95955 7518c 48 API calls 95954->95955 95954->95957 95956 e3ce7 95955->95956 95958 7518c 48 API calls 95956->95958 95959 75288 Shell_NotifyIconW 95957->95959 95958->95957 95959->95939 95960->94983 95962 7f130 95961->95962 95965 7fe30 335 API calls 95962->95965 95970 7f199 95962->95970 95963 7f3dd 95966 e87c8 95963->95966 95978 7f3f2 95963->95978 96013 7f431 Mailbox 95963->96013 95964 7f595 95971 7d7f7 48 API calls 95964->95971 95964->96013 95967 e8728 95965->95967 96134 bcc5c 86 API calls 4 library calls 95966->96134 95967->95970 96131 bcc5c 86 API calls 4 library calls 95967->96131 95968 7fe30 335 API calls 95968->96013 95970->95963 95970->95964 95974 7d7f7 48 API calls 95970->95974 96004 7f229 95970->96004 95973 e87a3 95971->95973 96133 90f0a 52 API calls __cinit 95973->96133 95976 e8772 95974->95976 95975 e8b1b 95992 e8bcf 95975->95992 95993 e8b2c 95975->95993 96132 90f0a 52 API calls __cinit 95976->96132 96003 7f418 95978->96003 96135 b9af1 48 API calls 95978->96135 95979 7f770 95983 e8a45 95979->95983 96001 7f77a 95979->96001 95981 7d6e9 55 API calls 95981->96013 96141 8c1af 48 API calls 95983->96141 95984 e8c53 96149 bcc5c 86 API calls 4 library calls 95984->96149 95985 e8810 96136 ceef8 335 API calls 95985->96136 95986 7fe30 335 API calls 96006 7f6aa 95986->96006 95987 e8b7e 96144 ce40a 335 API calls Mailbox 95987->96144 96146 bcc5c 86 API calls 4 library calls 95992->96146 96143 cf5ee 335 API calls 95993->96143 95994 e8beb 96147 cbdbd 335 API calls Mailbox 95994->96147 95997 81b90 48 API calls 95997->96013 95999 81b90 48 API calls 95999->96013 96001->95997 96002 e8c00 96024 7f537 Mailbox 96002->96024 96148 bcc5c 86 API calls 4 library calls 96002->96148 96003->95975 96003->96006 96003->96013 96004->95963 96004->95964 96004->96003 96004->96013 96005 7fce0 96005->96024 96145 bcc5c 86 API calls 4 library calls 96005->96145 96006->95979 96006->95986 96006->96005 96006->96013 96006->96024 96008 e8823 96008->96003 96012 e884b 96008->96012 96011 bcc5c 86 API calls 96011->96013 96137 cccdc 48 API calls 96012->96137 96013->95968 96013->95981 96013->95984 96013->95987 96013->95994 96013->95999 96013->96005 96013->96011 96013->96024 96130 7dd47 48 API calls _memcpy_s 96013->96130 96142 a97ed InterlockedDecrement 96013->96142 96150 8c1af 48 API calls 96013->96150 96015 e8857 96017 e8865 96015->96017 96018 e88aa 96015->96018 96138 b9b72 48 API calls 96017->96138 96021 e88a0 Mailbox 96018->96021 96139 ba69d 48 API calls 96018->96139 96019 7fe30 335 API calls 96019->96024 96021->96019 96023 e88e7 96140 7bc74 48 API calls 96023->96140 96024->95049 96027 8479f 96026->96027 96028 84637 96026->96028 96031 7ce19 48 API calls 96027->96031 96029 e6e05 96028->96029 96030 84643 96028->96030 96219 ce822 335 API calls Mailbox 96029->96219 96151 84300 96030->96151 96038 846e4 Mailbox 96031->96038 96034 84739 Mailbox 96034->95049 96035 e6e11 96035->96034 96220 bcc5c 86 API calls 4 library calls 96035->96220 96037 84659 96037->96034 96037->96035 96037->96038 96039 74252 84 API calls 96038->96039 96166 b6524 96038->96166 96169 c6ff0 96038->96169 96178 bfa0c 96038->96178 96039->96034 96330 7bd30 96043->96330 96045 83267 96047 832f8 96045->96047 96048 e907a 96045->96048 96105 83628 96045->96105 96342 8c36b 86 API calls 96047->96342 96348 bcc5c 86 API calls 4 library calls 96048->96348 96052 83313 96103 834eb _memcpy_s Mailbox 96052->96103 96052->96105 96108 e94df 96052->96108 96335 72b7a 96052->96335 96053 e91fa 96353 bcc5c 86 API calls 4 library calls 96053->96353 96054 8c3c3 48 API calls 96054->96103 96058 e93c5 96063 7fe30 335 API calls 96058->96063 96059 e926d 96357 bcc5c 86 API calls 4 library calls 96059->96357 96060 e909a 96060->96053 96061 7d645 53 API calls 96060->96061 96064 e910c 96061->96064 96065 e9407 96063->96065 96067 e9114 96064->96067 96068 e9220 96064->96068 96071 7d6e9 55 API calls 96065->96071 96065->96105 96080 e9128 96067->96080 96089 e9152 96067->96089 96354 71caa 49 API calls 96068->96354 96070 833ce 96074 e945e 96070->96074 96075 83465 96070->96075 96070->96103 96077 e9438 96071->96077 96363 bc942 50 API calls 96074->96363 96082 8f4ea 48 API calls 96075->96082 96362 bcc5c 86 API calls 4 library calls 96077->96362 96078 e923d 96083 e925e 96078->96083 96084 e9252 96078->96084 96079 7fe30 335 API calls 96079->96103 96349 bcc5c 86 API calls 4 library calls 96080->96349 96093 8346c 96082->96093 96356 bcc5c 86 API calls 4 library calls 96083->96356 96355 bcc5c 86 API calls 4 library calls 96084->96355 96090 e9177 96089->96090 96094 e9195 96089->96094 96350 cf320 335 API calls 96090->96350 96096 7e8d0 335 API calls 96093->96096 96098 8351f 96093->96098 96095 e918b 96094->96095 96351 cf5ee 335 API calls 96094->96351 96095->96105 96352 8c2d6 48 API calls _memcpy_s 96095->96352 96096->96103 96101 76eed 48 API calls 96098->96101 96102 83540 96098->96102 96100 8f4ea 48 API calls 96100->96103 96101->96102 96102->96105 96109 e94b0 96102->96109 96111 83585 96102->96111 96103->96054 96103->96058 96103->96059 96103->96060 96103->96077 96103->96079 96103->96098 96103->96100 96104 e9394 96103->96104 96103->96105 96344 7d9a0 53 API calls __cinit 96103->96344 96345 7d8c0 53 API calls 96103->96345 96346 8c2d6 48 API calls _memcpy_s 96103->96346 96358 ccda2 82 API calls Mailbox 96103->96358 96359 b80e3 53 API calls 96103->96359 96360 7d764 55 API calls 96103->96360 96361 7dcae 50 API calls Mailbox 96103->96361 96107 8f4ea 48 API calls 96104->96107 96114 83635 Mailbox 96105->96114 96347 bcc5c 86 API calls 4 library calls 96105->96347 96107->96058 96108->96105 96365 bcc5c 86 API calls 4 library calls 96108->96365 96364 7dcae 50 API calls Mailbox 96109->96364 96111->96105 96111->96108 96112 83615 96111->96112 96343 7dcae 50 API calls Mailbox 96112->96343 96114->95049 96115->95049 96116->95049 96117->95049 96118->95049 96119->95002 96120->94996 96121->95001 96122->95049 96123->95049 96124->95045 96125->95045 96126->95045 96127->95045 96128->95045 96129->95045 96130->96013 96131->95970 96132->96004 96133->96013 96134->96024 96135->95985 96136->96008 96137->96015 96138->96021 96139->96023 96140->96021 96141->96013 96142->96013 96143->96013 96144->96005 96145->96024 96146->96024 96147->96002 96148->96024 96149->96024 96150->96013 96152 e6e60 96151->96152 96155 8432c 96151->96155 96222 bcc5c 86 API calls 4 library calls 96152->96222 96154 e6e71 96223 bcc5c 86 API calls 4 library calls 96154->96223 96155->96154 96164 84366 _memcpy_s 96155->96164 96157 84435 96162 84445 96157->96162 96221 ccda2 82 API calls Mailbox 96157->96221 96158 8f4ea 48 API calls 96158->96164 96160 844b1 96160->96037 96161 7fe30 335 API calls 96161->96164 96162->96037 96163 e6ebd 96224 bcc5c 86 API calls 4 library calls 96163->96224 96164->96157 96164->96158 96164->96161 96164->96162 96164->96163 96225 b6ca9 GetFileAttributesW 96166->96225 96170 7936c 81 API calls 96169->96170 96171 c702a 96170->96171 96172 7b470 91 API calls 96171->96172 96173 c703a 96172->96173 96174 7fe30 335 API calls 96173->96174 96175 c705f 96173->96175 96174->96175 96177 c7063 96175->96177 96229 7cdb9 48 API calls 96175->96229 96177->96034 96179 bfa1c __ftell_nolock 96178->96179 96180 bfa44 96179->96180 96291 7d286 48 API calls 96179->96291 96182 7936c 81 API calls 96180->96182 96183 bfa5e 96182->96183 96184 bfb68 96183->96184 96185 bfa80 96183->96185 96195 bfb92 96183->96195 96186 741a9 136 API calls 96184->96186 96187 7936c 81 API calls 96185->96187 96188 bfb79 96186->96188 96193 bfa8c _wcscpy _wcschr 96187->96193 96189 bfb8e 96188->96189 96191 741a9 136 API calls 96188->96191 96190 7936c 81 API calls 96189->96190 96189->96195 96192 bfbc7 96190->96192 96191->96189 96194 91dfc __wsplitpath 47 API calls 96192->96194 96196 bfade _wcscat 96193->96196 96197 bfab0 _wcscat _wcscpy 96193->96197 96205 bfbeb _wcscat _wcscpy 96194->96205 96195->96034 96198 7936c 81 API calls 96196->96198 96200 7936c 81 API calls 96197->96200 96199 bfafc _wcscpy 96198->96199 96292 b72cb GetFileAttributesW 96199->96292 96200->96196 96202 bfb1c __NMSG_WRITE 96202->96195 96203 7936c 81 API calls 96202->96203 96204 bfb48 96203->96204 96293 b60dd 77 API calls 4 library calls 96204->96293 96207 7936c 81 API calls 96205->96207 96209 bfc82 96207->96209 96208 bfb5c 96208->96195 96230 b690b 96209->96230 96211 bfca2 96212 b6524 3 API calls 96211->96212 96213 bfcb1 96212->96213 96214 7936c 81 API calls 96213->96214 96217 bfce2 96213->96217 96215 bfccb 96214->96215 96236 bbfa4 96215->96236 96218 74252 84 API calls 96217->96218 96218->96195 96219->96035 96220->96034 96221->96160 96222->96154 96223->96162 96224->96162 96226 b6529 96225->96226 96227 b6cc4 FindFirstFileW 96225->96227 96226->96034 96227->96226 96228 b6cd9 FindClose 96227->96228 96228->96226 96229->96177 96231 b6918 _wcschr __ftell_nolock 96230->96231 96232 91dfc __wsplitpath 47 API calls 96231->96232 96235 b692e _wcscat _wcscpy 96231->96235 96233 b695d 96232->96233 96234 91dfc __wsplitpath 47 API calls 96233->96234 96234->96235 96235->96211 96237 bbfb1 __ftell_nolock 96236->96237 96238 8f4ea 48 API calls 96237->96238 96239 bc00e 96238->96239 96240 747b7 48 API calls 96239->96240 96241 bc018 96240->96241 96242 bbdb4 GetSystemTimeAsFileTime 96241->96242 96243 bc023 96242->96243 96244 74517 83 API calls 96243->96244 96245 bc036 _wcscmp 96244->96245 96246 bc05a 96245->96246 96247 bc107 96245->96247 96248 bc56d 94 API calls 96246->96248 96249 bc56d 94 API calls 96247->96249 96250 bc05f 96248->96250 96264 bc0d3 _wcscat 96249->96264 96251 91dfc __wsplitpath 47 API calls 96250->96251 96254 bc110 96250->96254 96256 bc088 _wcscat _wcscpy 96251->96256 96252 744ed 64 API calls 96253 bc12c 96252->96253 96255 744ed 64 API calls 96253->96255 96254->96217 96257 bc13c 96255->96257 96259 91dfc __wsplitpath 47 API calls 96256->96259 96258 744ed 64 API calls 96257->96258 96260 bc157 96258->96260 96259->96264 96261 744ed 64 API calls 96260->96261 96262 bc167 96261->96262 96263 744ed 64 API calls 96262->96263 96265 bc182 96263->96265 96264->96252 96264->96254 96266 744ed 64 API calls 96265->96266 96267 bc192 96266->96267 96268 744ed 64 API calls 96267->96268 96269 bc1a2 96268->96269 96270 744ed 64 API calls 96269->96270 96271 bc1b2 96270->96271 96294 bc71a GetTempPathW GetTempFileNameW 96271->96294 96273 bc1be 96274 93499 117 API calls 96273->96274 96275 bc1cf 96274->96275 96275->96254 96278 744ed 64 API calls 96275->96278 96289 bc289 96275->96289 96295 92aae 96275->96295 96276 935e4 __fcloseall 83 API calls 96277 bc294 96276->96277 96279 bc29a DeleteFileW 96277->96279 96280 bc2ae 96277->96280 96278->96275 96279->96254 96281 bc342 CopyFileW 96280->96281 96285 bc2b8 96280->96285 96289->96276 96291->96180 96292->96202 96293->96208 96294->96273 96296 92aba __setmbcp 96295->96296 96297 92aec 96296->96297 96298 92ad4 96296->96298 96307 92ae4 __setmbcp 96296->96307 96299 94e1c __lock_file 48 API calls 96297->96299 96324 97c0e 47 API calls __getptd_noexit 96298->96324 96301 92af2 96299->96301 96302 92ad9 96307->96275 96324->96302 96331 7bd3f 96330->96331 96334 7bd5a 96330->96334 96332 7bdfa 48 API calls 96331->96332 96333 7bd47 CharUpperBuffW 96332->96333 96333->96334 96334->96045 96336 e436a 96335->96336 96337 72b8b 96335->96337 96338 8f4ea 48 API calls 96337->96338 96339 72b92 96338->96339 96340 72bb3 96339->96340 96366 72bce 48 API calls 96339->96366 96340->96070 96342->96052 96343->96105 96344->96103 96345->96103 96346->96103 96347->96114 96348->96052 96349->96105 96350->96095 96351->96095 96352->96053 96353->96105 96354->96078 96355->96105 96356->96105 96357->96105 96358->96103 96359->96103 96360->96103 96361->96103 96362->96105 96363->96098 96364->96108 96365->96105 96366->96340 96367->95059 96368 73742 96369 7374b 96368->96369 96370 73769 96369->96370 96371 737c8 96369->96371 96409 737c6 96369->96409 96375 73776 96370->96375 96376 7382c PostQuitMessage 96370->96376 96373 737ce 96371->96373 96374 e1e00 96371->96374 96372 737ab DefWindowProcW 96377 737b9 96372->96377 96378 737f6 SetTimer RegisterWindowMessageW 96373->96378 96379 737d3 96373->96379 96417 72ff6 16 API calls 96374->96417 96381 e1e88 96375->96381 96382 73781 96375->96382 96376->96377 96378->96377 96387 7381f CreatePopupMenu 96378->96387 96384 e1da3 96379->96384 96385 737da KillTimer 96379->96385 96422 b4ddd 60 API calls _memset 96381->96422 96388 73836 96382->96388 96389 73789 96382->96389 96394 e1ddc MoveWindow 96384->96394 96395 e1da8 96384->96395 96413 73847 Shell_NotifyIconW _memset 96385->96413 96386 e1e27 96418 8e312 335 API calls Mailbox 96386->96418 96387->96377 96415 8eb83 53 API calls _memset 96388->96415 96390 e1e6d 96389->96390 96391 73794 96389->96391 96390->96372 96421 aa5f3 48 API calls 96390->96421 96398 7379f 96391->96398 96399 e1e58 96391->96399 96392 e1e9a 96392->96372 96392->96377 96394->96377 96401 e1dac 96395->96401 96402 e1dcb SetFocus 96395->96402 96398->96372 96419 73847 Shell_NotifyIconW _memset 96398->96419 96420 b55bd 70 API calls _memset 96399->96420 96400 73845 96400->96377 96401->96398 96404 e1db5 96401->96404 96402->96377 96403 737ed 96414 7390f DeleteObject DestroyWindow Mailbox 96403->96414 96416 72ff6 16 API calls 96404->96416 96409->96372 96411 e1e4c 96412 74ffc 67 API calls 96411->96412 96412->96409 96413->96403 96414->96377 96415->96400 96416->96377 96417->96386 96418->96398 96419->96411 96420->96400 96421->96409 96422->96392 96423 e197b 96428 8dd94 96423->96428 96427 e198a 96429 8f4ea 48 API calls 96428->96429 96430 8dd9c 96429->96430 96431 8ddb0 96430->96431 96436 8df3d 96430->96436 96435 90f0a 52 API calls __cinit 96431->96435 96435->96427 96437 8dda8 96436->96437 96438 8df46 96436->96438 96440 8ddc0 96437->96440 96468 90f0a 52 API calls __cinit 96438->96468 96441 7d7f7 48 API calls 96440->96441 96442 8ddd7 GetVersionExW 96441->96442 96443 76a63 48 API calls 96442->96443 96444 8de1a 96443->96444 96469 8dfb4 96444->96469 96447 76571 48 API calls 96453 8de2e 96447->96453 96450 e24c8 96451 8dea4 GetCurrentProcess 96482 8df5f LoadLibraryA GetProcAddress 96451->96482 96452 8debb 96455 8df31 GetSystemInfo 96452->96455 96456 8dee3 96452->96456 96453->96450 96473 8df77 96453->96473 96457 8df0e 96455->96457 96476 8e00c 96456->96476 96459 8df1c FreeLibrary 96457->96459 96460 8df21 96457->96460 96459->96460 96460->96431 96462 8df29 GetSystemInfo 96465 8df03 96462->96465 96463 8def9 96479 8dff4 96463->96479 96465->96457 96467 8df09 FreeLibrary 96465->96467 96467->96457 96468->96437 96470 8dfbd 96469->96470 96471 7b18b 48 API calls 96470->96471 96472 8de22 96471->96472 96472->96447 96483 8df89 96473->96483 96487 8e01e 96476->96487 96480 8e00c 2 API calls 96479->96480 96481 8df01 GetNativeSystemInfo 96480->96481 96481->96465 96482->96452 96484 8dea0 96483->96484 96485 8df92 LoadLibraryA 96483->96485 96484->96451 96484->96452 96485->96484 96486 8dfa3 GetProcAddress 96485->96486 96486->96484 96488 8def1 96487->96488 96489 8e027 LoadLibraryA 96487->96489 96488->96462 96488->96463 96489->96488 96490 8e038 GetProcAddress 96489->96490 96490->96488 96491 e19cb 96496 72322 96491->96496 96493 e19d1 96529 90f0a 52 API calls __cinit 96493->96529 96495 e19db 96497 72344 96496->96497 96530 726df 96497->96530 96502 7d7f7 48 API calls 96503 72384 96502->96503 96504 7d7f7 48 API calls 96503->96504 96505 7238e 96504->96505 96506 7d7f7 48 API calls 96505->96506 96507 72398 96506->96507 96508 7d7f7 48 API calls 96507->96508 96509 723de 96508->96509 96510 7d7f7 48 API calls 96509->96510 96511 724c1 96510->96511 96538 7263f 96511->96538 96515 724f1 96516 7d7f7 48 API calls 96515->96516 96517 724fb 96516->96517 96567 72745 96517->96567 96519 72546 96520 72556 GetStdHandle 96519->96520 96521 e501d 96520->96521 96522 725b1 96520->96522 96521->96522 96524 e5026 96521->96524 96523 725b7 CoInitialize 96522->96523 96523->96493 96574 b92d4 53 API calls 96524->96574 96526 e502d 96575 b99f9 CreateThread 96526->96575 96528 e5039 CloseHandle 96528->96523 96529->96495 96576 72854 96530->96576 96533 76a63 48 API calls 96534 7234a 96533->96534 96535 7272e 96534->96535 96590 727ec 6 API calls 96535->96590 96537 7237a 96537->96502 96539 7d7f7 48 API calls 96538->96539 96540 7264f 96539->96540 96541 7d7f7 48 API calls 96540->96541 96542 72657 96541->96542 96591 726a7 96542->96591 96545 726a7 48 API calls 96546 72667 96545->96546 96547 7d7f7 48 API calls 96546->96547 96548 72672 96547->96548 96549 8f4ea 48 API calls 96548->96549 96550 724cb 96549->96550 96551 722a4 96550->96551 96552 722b2 96551->96552 96553 7d7f7 48 API calls 96552->96553 96554 722bd 96553->96554 96555 7d7f7 48 API calls 96554->96555 96556 722c8 96555->96556 96557 7d7f7 48 API calls 96556->96557 96558 722d3 96557->96558 96559 7d7f7 48 API calls 96558->96559 96560 722de 96559->96560 96561 726a7 48 API calls 96560->96561 96562 722e9 96561->96562 96563 8f4ea 48 API calls 96562->96563 96564 722f0 96563->96564 96565 e1fe7 96564->96565 96566 722f9 RegisterWindowMessageW 96564->96566 96566->96515 96568 72755 96567->96568 96569 e5f4d 96567->96569 96571 8f4ea 48 API calls 96568->96571 96596 bc942 50 API calls 96569->96596 96573 7275d 96571->96573 96572 e5f58 96573->96519 96574->96526 96575->96528 96597 b99df 54 API calls 96575->96597 96583 72870 96576->96583 96579 72870 48 API calls 96580 72864 96579->96580 96581 7d7f7 48 API calls 96580->96581 96582 72716 96581->96582 96582->96533 96584 7d7f7 48 API calls 96583->96584 96585 7287b 96584->96585 96586 7d7f7 48 API calls 96585->96586 96587 72883 96586->96587 96588 7d7f7 48 API calls 96587->96588 96589 7285c 96588->96589 96589->96579 96590->96537 96592 7d7f7 48 API calls 96591->96592 96593 726b0 96592->96593 96594 7d7f7 48 API calls 96593->96594 96595 7265f 96594->96595 96595->96545 96596->96572 96598 e8eb8 96602 ba635 96598->96602 96600 e8ec3 96601 ba635 84 API calls 96600->96601 96601->96600 96603 ba642 96602->96603 96608 ba66f 96602->96608 96604 ba671 96603->96604 96605 ba676 96603->96605 96603->96608 96611 ba669 96603->96611 96614 8ec4e 81 API calls 96604->96614 96607 7936c 81 API calls 96605->96607 96609 ba67d 96607->96609 96608->96600 96610 7510d 48 API calls 96609->96610 96610->96608 96613 84525 61 API calls _memcpy_s 96611->96613 96613->96608 96614->96605 96615 122e988 96616 122c5d8 GetPEB 96615->96616 96617 122ea66 96616->96617 96629 122e878 96617->96629 96630 122e881 Sleep 96629->96630 96631 122e88f 96630->96631 96632 bbb64 96633 bbb77 96632->96633 96634 bbb71 96632->96634 96636 91c9d _free 47 API calls 96633->96636 96638 bbb88 96633->96638 96635 91c9d _free 47 API calls 96634->96635 96635->96633 96636->96638 96637 91c9d _free 47 API calls 96639 bbb9a 96637->96639 96638->96637 96638->96639

              Executed Functions

              Function 0009B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 643 9b043-9b080 call 9f8a0 646 9b089-9b08b 643->646 647 9b082-9b084 643->647 649 9b08d-9b0a7 call 97bda call 97c0e call 96e10 646->649 650 9b0ac-9b0d9 646->650 648 9b860-9b86c call 9a70c 647->648 649->648 651 9b0db-9b0de 650->651 652 9b0e0-9b0e7 650->652 651->652 655 9b10b-9b110 651->655 656 9b0e9-9b100 call 97bda call 97c0e call 96e10 652->656 657 9b105 652->657 660 9b11f-9b12d call a3bf2 655->660 661 9b112-9b11c call 9f82f 655->661 692 9b851-9b854 656->692 657->655 673 9b44b-9b45d 660->673 674 9b133-9b145 660->674 661->660 677 9b7b8-9b7d5 WriteFile 673->677 678 9b463-9b473 673->678 674->673 676 9b14b-9b183 call 97a0d GetConsoleMode 674->676 676->673 699 9b189-9b18f 676->699 680 9b7e1-9b7e7 GetLastError 677->680 681 9b7d7-9b7df 677->681 683 9b479-9b484 678->683 684 9b55a-9b55f 678->684 686 9b7e9 680->686 681->686 690 9b81b-9b833 683->690 691 9b48a-9b49a 683->691 687 9b663-9b66e 684->687 688 9b565-9b56e 684->688 696 9b7ef-9b7f1 686->696 687->690 695 9b674 687->695 688->690 697 9b574 688->697 693 9b83e-9b84e call 97c0e call 97bda 690->693 694 9b835-9b838 690->694 700 9b4a0-9b4a3 691->700 698 9b85e-9b85f 692->698 693->692 694->693 701 9b83a-9b83c 694->701 702 9b67e-9b693 695->702 704 9b7f3-9b7f5 696->704 705 9b856-9b85c 696->705 706 9b57e-9b595 697->706 698->648 707 9b199-9b1bc GetConsoleCP 699->707 708 9b191-9b193 699->708 709 9b4e9-9b520 WriteFile 700->709 710 9b4a5-9b4be 700->710 701->698 712 9b699-9b69b 702->712 704->690 714 9b7f7-9b7fc 704->714 705->698 715 9b59b-9b59e 706->715 716 9b440-9b446 707->716 717 9b1c2-9b1ca 707->717 708->673 708->707 709->680 711 9b526-9b538 709->711 718 9b4cb-9b4e7 710->718 719 9b4c0-9b4ca 710->719 711->696 720 9b53e-9b54f 711->720 721 9b6d8-9b719 WideCharToMultiByte 712->721 722 9b69d-9b6b3 712->722 724 9b7fe-9b810 call 97c0e call 97bda 714->724 725 9b812-9b819 call 97bed 714->725 726 9b5de-9b627 WriteFile 715->726 727 9b5a0-9b5b6 715->727 716->704 728 9b1d4-9b1d6 717->728 718->700 718->709 719->718 720->691 729 9b555 720->729 721->680 733 9b71f-9b721 721->733 730 9b6b5-9b6c4 722->730 731 9b6c7-9b6d6 722->731 724->692 725->692 726->680 738 9b62d-9b645 726->738 735 9b5b8-9b5ca 727->735 736 9b5cd-9b5dc 727->736 739 9b36b-9b36e 728->739 740 9b1dc-9b1fe 728->740 729->696 730->731 731->712 731->721 745 9b727-9b75a WriteFile 733->745 735->736 736->715 736->726 738->696 748 9b64b-9b658 738->748 743 9b370-9b373 739->743 744 9b375-9b3a2 739->744 741 9b200-9b215 740->741 742 9b217-9b223 call 91688 740->742 749 9b271-9b283 call a40f7 741->749 763 9b269-9b26b 742->763 764 9b225-9b239 742->764 743->744 751 9b3a8-9b3ab 743->751 744->751 752 9b77a-9b78e GetLastError 745->752 753 9b75c-9b776 745->753 748->706 755 9b65e 748->755 773 9b289 749->773 774 9b435-9b43b 749->774 757 9b3ad-9b3b0 751->757 758 9b3b2-9b3c5 call a5884 751->758 762 9b794-9b796 752->762 753->745 760 9b778 753->760 755->696 757->758 765 9b407-9b40a 757->765 758->680 777 9b3cb-9b3d5 758->777 760->762 762->686 768 9b798-9b7b0 762->768 763->749 770 9b23f-9b254 call a40f7 764->770 771 9b412-9b42d 764->771 765->728 769 9b410 765->769 768->702 775 9b7b6 768->775 769->774 770->774 784 9b25a-9b267 770->784 771->774 778 9b28f-9b2c4 WideCharToMultiByte 773->778 774->686 775->696 780 9b3fb-9b401 777->780 781 9b3d7-9b3ee call a5884 777->781 778->774 782 9b2ca-9b2f0 WriteFile 778->782 780->765 781->680 788 9b3f4-9b3f5 781->788 782->680 783 9b2f6-9b30e 782->783 783->774 787 9b314-9b31b 783->787 784->778 787->780 789 9b321-9b34c WriteFile 787->789 788->780 789->680 790 9b352-9b359 789->790 790->774 791 9b35f-9b366 790->791 791->780
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fe3571cbc72cce0dff625515198512f159e26c77fb9124a76f287d424efe5479
              • Instruction ID: b4b7abedfe273c7a33becabb1115aff650896d0380b83bdbd08ec7bc3b702629
              • Opcode Fuzzy Hash: fe3571cbc72cce0dff625515198512f159e26c77fb9124a76f287d424efe5479
              • Instruction Fuzzy Hash: 3C325D75A022288BDF24CF54ED856E9B7F5FB4A320F1841D9E40AA7A91D7309E80DF52
              Function 00073D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00073AA3,?), ref: 00073D45
              • IsDebuggerPresent.KERNEL32(?,?,?,?,00073AA3,?), ref: 00073D57
              • GetFullPathNameW.KERNEL32(00007FFF,?,?,00131148,00131130,?,?,?,?,00073AA3,?), ref: 00073DC8
                • Part of subcall function 00076430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00073DEE,00131148,?,?,?,?,?,00073AA3,?), ref: 00076471
              • SetCurrentDirectoryW.KERNEL32(?,?,?,00073AA3,?), ref: 00073E48
              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,001228F4,00000010), ref: 000E1CCE
              • SetCurrentDirectoryW.KERNEL32(?,00131148,?,?,?,?,?,00073AA3,?), ref: 000E1D06
              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0010DAB4,00131148,?,?,?,?,?,00073AA3,?), ref: 000E1D89
              • ShellExecuteW.SHELL32(00000000,?,?,?,?,00073AA3), ref: 000E1D90
                • Part of subcall function 00073E6E: GetSysColorBrush.USER32(0000000F), ref: 00073E79
                • Part of subcall function 00073E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00073E88
                • Part of subcall function 00073E6E: LoadIconW.USER32(00000063), ref: 00073E9E
                • Part of subcall function 00073E6E: LoadIconW.USER32(000000A4), ref: 00073EB0
                • Part of subcall function 00073E6E: LoadIconW.USER32(000000A2), ref: 00073EC2
                • Part of subcall function 00073E6E: RegisterClassExW.USER32(?), ref: 00073F30
                • Part of subcall function 000736B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000736E6
                • Part of subcall function 000736B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00073707
                • Part of subcall function 000736B8: ShowWindow.USER32(00000000,?,?,?,?,00073AA3,?), ref: 0007371B
                • Part of subcall function 000736B8: ShowWindow.USER32(00000000,?,?,?,?,00073AA3,?), ref: 00073724
                • Part of subcall function 00074FFC: _memset.LIBCMT ref: 00075022
                • Part of subcall function 00074FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000750CB
              Strings
              • runas, xrefs: 000E1D84
              • This is a third-party compiled AutoIt script., xrefs: 000E1CC8
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
              • String ID: This is a third-party compiled AutoIt script.$runas
              • API String ID: 438480954-3287110873
              • Opcode ID: a3c0c1e0b888bda139a28d5f2b6213fee20a5b979ed2c71e87afb1aa54c44442
              • Instruction ID: ff1f975d3c827659a19f7bd0a40e33195b7f8a17cc71519f49eed9ca50270d26
              • Opcode Fuzzy Hash: a3c0c1e0b888bda139a28d5f2b6213fee20a5b979ed2c71e87afb1aa54c44442
              • Instruction Fuzzy Hash: 5251F630E04288BEEF11ABB0DC45EED7BB5AB15700F10C065F64966193DBBC5A85EB25
              Function 0008DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1137 8ddc0-8de4f call 7d7f7 GetVersionExW call 76a63 call 8dfb4 call 76571 1146 e24c8-e24cb 1137->1146 1147 8de55-8de56 1137->1147 1148 e24cd 1146->1148 1149 e24e4-e24e8 1146->1149 1150 8de58-8de63 1147->1150 1151 8de92-8dea2 call 8df77 1147->1151 1153 e24d0 1148->1153 1154 e24ea-e24f3 1149->1154 1155 e24d3-e24dc 1149->1155 1156 e244e-e2454 1150->1156 1157 8de69-8de6b 1150->1157 1166 8dea4-8dec1 GetCurrentProcess call 8df5f 1151->1166 1167 8dec7-8dee1 1151->1167 1153->1155 1154->1153 1163 e24f5-e24f8 1154->1163 1155->1149 1161 e245e-e2464 1156->1161 1162 e2456-e2459 1156->1162 1158 e2469-e2475 1157->1158 1159 8de71-8de74 1157->1159 1168 e247f-e2485 1158->1168 1169 e2477-e247a 1158->1169 1164 8de7a-8de89 1159->1164 1165 e2495-e2498 1159->1165 1161->1151 1162->1151 1163->1155 1170 e248a-e2490 1164->1170 1171 8de8f 1164->1171 1165->1151 1172 e249e-e24b3 1165->1172 1166->1167 1189 8dec3 1166->1189 1174 8df31-8df3b GetSystemInfo 1167->1174 1175 8dee3-8def7 call 8e00c 1167->1175 1168->1151 1169->1151 1170->1151 1171->1151 1176 e24bd-e24c3 1172->1176 1177 e24b5-e24b8 1172->1177 1179 8df0e-8df1a 1174->1179 1184 8df29-8df2f GetSystemInfo 1175->1184 1185 8def9-8df01 call 8dff4 GetNativeSystemInfo 1175->1185 1176->1151 1177->1151 1181 8df1c-8df1f FreeLibrary 1179->1181 1182 8df21-8df26 1179->1182 1181->1182 1188 8df03-8df07 1184->1188 1185->1188 1188->1179 1191 8df09-8df0c FreeLibrary 1188->1191 1189->1167 1191->1179
              APIs
              • GetVersionExW.KERNEL32(?), ref: 0008DDEC
              • GetCurrentProcess.KERNEL32(00000000,0010DC38,?,?), ref: 0008DEAC
              • GetNativeSystemInfo.KERNELBASE(?,0010DC38,?,?), ref: 0008DF01
              • FreeLibrary.KERNEL32(00000000,?,?), ref: 0008DF0C
              • FreeLibrary.KERNEL32(00000000,?,?), ref: 0008DF1F
              • GetSystemInfo.KERNEL32(?,0010DC38,?,?), ref: 0008DF29
              • GetSystemInfo.KERNEL32(?,0010DC38,?,?), ref: 0008DF35
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
              • String ID:
              • API String ID: 3851250370-0
              • Opcode ID: 60166034db1de1cc994c926601c1ed344c837456ae8c31a1cdfd644f68029510
              • Instruction ID: 7aee572d2ad1565c84927b74d9af3f8196a35ff024f1a78c1439f811d9cea40b
              • Opcode Fuzzy Hash: 60166034db1de1cc994c926601c1ed344c837456ae8c31a1cdfd644f68029510
              • Instruction Fuzzy Hash: 6B6194B180A2C4DFCF15EF6894C11EDBFB47F29300B1986DAD8859F287C624C949DB65
              Function 0007406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1209 7406b-74083 CreateStreamOnHGlobal 1210 74085-7409c FindResourceExW 1209->1210 1211 740a3-740a6 1209->1211 1212 740a2 1210->1212 1213 e4f16-e4f25 LoadResource 1210->1213 1212->1211 1213->1212 1214 e4f2b-e4f39 SizeofResource 1213->1214 1214->1212 1215 e4f3f-e4f4a LockResource 1214->1215 1215->1212 1216 e4f50-e4f6e 1215->1216 1216->1212
              APIs
              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0007449E,?,?,00000000,00000001), ref: 0007407B
              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0007449E,?,?,00000000,00000001), ref: 00074092
              • LoadResource.KERNEL32(?,00000000,?,?,0007449E,?,?,00000000,00000001,?,?,?,?,?,?,000741FB), ref: 000E4F1A
              • SizeofResource.KERNEL32(?,00000000,?,?,0007449E,?,?,00000000,00000001,?,?,?,?,?,?,000741FB), ref: 000E4F2F
              • LockResource.KERNEL32(0007449E,?,?,0007449E,?,?,00000000,00000001,?,?,?,?,?,?,000741FB,00000000), ref: 000E4F42
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
              • String ID: SCRIPT
              • API String ID: 3051347437-3967369404
              • Opcode ID: ef10f6edcc2e7c28bf5a957053643f164c77675de39a0c24ca8da492009ab163
              • Instruction ID: 52e7f47ebc23c602e8d76a78f551e006f9e5b81d07986214c4a67091bbbf9eca
              • Opcode Fuzzy Hash: ef10f6edcc2e7c28bf5a957053643f164c77675de39a0c24ca8da492009ab163
              • Instruction Fuzzy Hash: 3F118B70700701BFE7218B66EC48F277BBAEBC5B51F20812DF606966A0DB75DC00DAA0
              Function 000B6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNELBASE(?,000E2F49), ref: 000B6CB9
              • FindFirstFileW.KERNELBASE(?,?), ref: 000B6CCA
              • FindClose.KERNEL32(00000000), ref: 000B6CDA
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: FileFind$AttributesCloseFirst
              • String ID:
              • API String ID: 48322524-0
              • Opcode ID: a308ae7205129c1ae23928a5b433a0d6697611fc5e28dd844005945d4af4e68b
              • Instruction ID: 484aea4150d01672c691a0f0f9b1369283711ed8e81f3ea4a313dabe6ca26013
              • Opcode Fuzzy Hash: a308ae7205129c1ae23928a5b433a0d6697611fc5e28dd844005945d4af4e68b
              • Instruction Fuzzy Hash: 5FE0D8318104106792206738EC0D4F93BADEB05339F100716F971C11D0E779E90095D5
              Function 00083200 Relevance: 1.0, Instructions: 986COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID:
              • API String ID: 3964851224-0
              • Opcode ID: 6222e726b662eb4805cb7036f2deeb8db25c183c93488b1f8941484331b4d1a1
              • Instruction ID: 3f362696a35bbdf43315cb03ddc3035050e4559c87059163d3ed3490bd1db0e0
              • Opcode Fuzzy Hash: 6222e726b662eb4805cb7036f2deeb8db25c183c93488b1f8941484331b4d1a1
              • Instruction Fuzzy Hash: 129277B0608341DFD724EF18C480B6ABBE1BF88704F14885DE9CA9B2A2D775ED45CB52
              Function 0007E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0007E959
              • timeGetTime.WINMM ref: 0007EBFA
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0007ED2E
              • TranslateMessage.USER32(?), ref: 0007ED3F
              • DispatchMessageW.USER32(?), ref: 0007ED4A
              • LockWindowUpdate.USER32(00000000), ref: 0007ED79
              • DestroyWindow.USER32 ref: 0007ED85
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0007ED9F
              • Sleep.KERNEL32(0000000A), ref: 000E5270
              • TranslateMessage.USER32(?), ref: 000E59F7
              • DispatchMessageW.USER32(?), ref: 000E5A05
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000E5A19
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
              • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
              • API String ID: 2641332412-570651680
              • Opcode ID: 3acc2043bd72145ae81958593517d5cfd426d53376f0b0804019a2b2dadae15c
              • Instruction ID: 2b309efdfb43b2e9c2a2ea5f5654f3b410cc2a35f3998e972799c5b3db7ef380
              • Opcode Fuzzy Hash: 3acc2043bd72145ae81958593517d5cfd426d53376f0b0804019a2b2dadae15c
              • Instruction Fuzzy Hash: A462D770905380DFEB64DF24C885BAA77E5BF48304F0489ADF98A9B292D778D844CB56
              Function 000A5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • ___createFile.LIBCMT ref: 000A5EC3
              • ___createFile.LIBCMT ref: 000A5F04
              • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 000A5F2D
              • __dosmaperr.LIBCMT ref: 000A5F34
              • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 000A5F47
              • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 000A5F6A
              • __dosmaperr.LIBCMT ref: 000A5F73
              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 000A5F7C
              • __set_osfhnd.LIBCMT ref: 000A5FAC
              • __lseeki64_nolock.LIBCMT ref: 000A6016
              • __close_nolock.LIBCMT ref: 000A603C
              • __chsize_nolock.LIBCMT ref: 000A606C
              • __lseeki64_nolock.LIBCMT ref: 000A607E
              • __lseeki64_nolock.LIBCMT ref: 000A6176
              • __lseeki64_nolock.LIBCMT ref: 000A618B
              • __close_nolock.LIBCMT ref: 000A61EB
                • Part of subcall function 0009EA9C: CloseHandle.KERNELBASE(00000000,0011EEF4,00000000,?,000A6041,0011EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0009EAEC
                • Part of subcall function 0009EA9C: GetLastError.KERNEL32(?,000A6041,0011EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0009EAF6
                • Part of subcall function 0009EA9C: __free_osfhnd.LIBCMT ref: 0009EB03
                • Part of subcall function 0009EA9C: __dosmaperr.LIBCMT ref: 0009EB25
                • Part of subcall function 00097C0E: __getptd_noexit.LIBCMT ref: 00097C0E
              • __lseeki64_nolock.LIBCMT ref: 000A620D
              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 000A6342
              • ___createFile.LIBCMT ref: 000A6361
              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 000A636E
              • __dosmaperr.LIBCMT ref: 000A6375
              • __free_osfhnd.LIBCMT ref: 000A6395
              • __invoke_watson.LIBCMT ref: 000A63C3
              • __wsopen_helper.LIBCMT ref: 000A63DD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
              • String ID: @
              • API String ID: 3896587723-2766056989
              • Opcode ID: ae4fe966c4b008d151d2330bffb78b441877d1782fe16058590d0a5fe4c4170f
              • Instruction ID: 23a4879bbf87c92937843e1412502dcad85cbeb46346d1ef8be74392656ad322
              • Opcode Fuzzy Hash: ae4fe966c4b008d151d2330bffb78b441877d1782fe16058590d0a5fe4c4170f
              • Instruction Fuzzy Hash: 832226719006059FEF299FA8CC55BFE7BB1FB16324F284229E5219B2D2C7368D80D791
              Function 000BFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 546 bfa0c-bfa37 call 9f8a0 549 bfa39-bfa4b call 7d286 546->549 550 bfa4d 546->550 549->550 551 bfa52-bfa6d call 7936c call 8ec2f 549->551 550->551 558 bfa73-bfa7a 551->558 559 bfd12-bfd1a 551->559 560 bfb68-bfb7b call 741a9 558->560 561 bfa80-bfaae call 7936c call 90d23 call 923f6 558->561 566 bfbba-bfbf4 call 7936c call 91dfc 560->566 567 bfb7d-bfb90 call 741a9 560->567 580 bfaef-bfb1e call 7936c call 90d23 call b72cb 561->580 581 bfab0-bfaee call 90d23 call 90cf4 call 7936c call 90cf4 561->581 582 bfbf6-bfbff 566->582 583 bfc25-bfcb3 call 90d23 call 90cf4 * 3 call 7936c call b690b call b6524 566->583 567->566 576 bfb92-bfb9c call 73321 567->576 585 bfba1-bfbb5 call 82c20 576->585 611 bfb3b-bfb60 call 7936c call b60dd 580->611 612 bfb20-bfb39 call 90cdb 580->612 581->580 582->583 589 bfc01-bfc22 call 90d23 * 2 582->589 629 bfcbb-bfcbd 583->629 630 bfcb5-bfcb9 583->630 585->559 589->583 611->559 624 bfb66 611->624 612->585 612->611 624->585 631 bfcbf-bfcdd call 7936c call bbfa4 629->631 632 bfcf5-bfd02 call 82c20 629->632 630->629 630->631 639 bfce2-bfce4 631->639 638 bfd09-bfd0d call 74252 632->638 638->559 639->638 641 bfce6-bfcf0 call 73321 639->641 641->632
              APIs
              • _wcscpy.LIBCMT ref: 000BFA96
              • _wcschr.LIBCMT ref: 000BFAA4
              • _wcscpy.LIBCMT ref: 000BFABB
              • _wcscat.LIBCMT ref: 000BFACA
              • _wcscat.LIBCMT ref: 000BFAE8
              • _wcscpy.LIBCMT ref: 000BFB09
              • __wsplitpath.LIBCMT ref: 000BFBE6
              • _wcscpy.LIBCMT ref: 000BFC0B
              • _wcscpy.LIBCMT ref: 000BFC1D
              • _wcscpy.LIBCMT ref: 000BFC32
              • _wcscat.LIBCMT ref: 000BFC47
              • _wcscat.LIBCMT ref: 000BFC59
              • _wcscat.LIBCMT ref: 000BFC6E
                • Part of subcall function 000BBFA4: _wcscmp.LIBCMT ref: 000BC03E
                • Part of subcall function 000BBFA4: __wsplitpath.LIBCMT ref: 000BC083
                • Part of subcall function 000BBFA4: _wcscpy.LIBCMT ref: 000BC096
                • Part of subcall function 000BBFA4: _wcscat.LIBCMT ref: 000BC0A9
                • Part of subcall function 000BBFA4: __wsplitpath.LIBCMT ref: 000BC0CE
                • Part of subcall function 000BBFA4: _wcscat.LIBCMT ref: 000BC0E4
                • Part of subcall function 000BBFA4: _wcscat.LIBCMT ref: 000BC0F7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
              • String ID: >>>AUTOIT SCRIPT<<<
              • API String ID: 2955681530-2806939583
              • Opcode ID: 0ff2aa50195c075b225ae9af06acc66b1af8993e3dc7d32df7b3f85c8e2767b0
              • Instruction ID: 44c1466c0e779ad6462d218be65a3128dafad805067d271d4ab3762b77ee0ea2
              • Opcode Fuzzy Hash: 0ff2aa50195c075b225ae9af06acc66b1af8993e3dc7d32df7b3f85c8e2767b0
              • Instruction Fuzzy Hash: A891B371504305AFDB20EB54C951FEFB3E9BF84310F008869F95997292DB34EA54CB96
              Function 00073F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00073F86
              • RegisterClassExW.USER32(00000030), ref: 00073FB0
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00073FC1
              • InitCommonControlsEx.COMCTL32(?), ref: 00073FDE
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00073FEE
              • LoadIconW.USER32(000000A9), ref: 00074004
              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00074013
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 2914291525-1005189915
              • Opcode ID: f5863c2a8038aa77a48a365a3f082ca7595af07e115bdcd5520c7b48cc61877e
              • Instruction ID: 0fb0453f1b7e21c8222f9977864081b3518aef7d1d6260cbb0326c915b46ea9d
              • Opcode Fuzzy Hash: f5863c2a8038aa77a48a365a3f082ca7595af07e115bdcd5520c7b48cc61877e
              • Instruction Fuzzy Hash: 8821A7B5900319BFEB00EFE5E889BDDBBB5FB08700F00411AF615A66A0E7B94584DF95
              Function 000BBFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 793 bbfa4-bc054 call 9f8a0 call 8f4ea call 747b7 call bbdb4 call 74517 call 915e3 806 bc05a-bc061 call bc56d 793->806 807 bc107-bc10e call bc56d 793->807 812 bc110-bc112 806->812 813 bc067-bc105 call 91dfc call 90d23 call 90cf4 call 91dfc call 90cf4 * 2 806->813 807->812 814 bc117 807->814 815 bc367-bc368 812->815 817 bc11a-bc1d6 call 744ed * 8 call bc71a call 93499 813->817 814->817 820 bc385-bc393 call 747e2 815->820 852 bc1d8-bc1da 817->852 853 bc1df-bc1fa call bbdf8 817->853 852->815 856 bc28c-bc298 call 935e4 853->856 857 bc200-bc208 853->857 864 bc29a-bc2a9 DeleteFileW 856->864 865 bc2ae-bc2b2 856->865 858 bc20a-bc20e 857->858 859 bc210 857->859 861 bc215-bc233 call 744ed 858->861 859->861 869 bc25d-bc273 call bb791 call 92aae 861->869 870 bc235-bc23b 861->870 864->815 867 bc2b8-bc32f call bc81d call bc845 call bb965 865->867 868 bc342-bc356 CopyFileW 865->868 872 bc36a-bc380 DeleteFileW call bc6d9 867->872 889 bc331-bc340 DeleteFileW 867->889 868->872 873 bc358-bc365 DeleteFileW 868->873 886 bc278-bc283 869->886 874 bc23d-bc250 call bbf2e 870->874 872->820 873->815 884 bc252-bc25b 874->884 884->869 886->857 888 bc289 886->888 888->856 889->815
              APIs
                • Part of subcall function 000BBDB4: __time64.LIBCMT ref: 000BBDBE
                • Part of subcall function 00074517: _fseek.LIBCMT ref: 0007452F
              • __wsplitpath.LIBCMT ref: 000BC083
                • Part of subcall function 00091DFC: __wsplitpath_helper.LIBCMT ref: 00091E3C
              • _wcscpy.LIBCMT ref: 000BC096
              • _wcscat.LIBCMT ref: 000BC0A9
              • __wsplitpath.LIBCMT ref: 000BC0CE
              • _wcscat.LIBCMT ref: 000BC0E4
              • _wcscat.LIBCMT ref: 000BC0F7
              • _wcscmp.LIBCMT ref: 000BC03E
                • Part of subcall function 000BC56D: _wcscmp.LIBCMT ref: 000BC65D
                • Part of subcall function 000BC56D: _wcscmp.LIBCMT ref: 000BC670
              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 000BC2A1
              • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000BC338
              • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000BC34E
              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000BC35F
              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000BC371
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
              • String ID:
              • API String ID: 2378138488-0
              • Opcode ID: ebd2450c6054fef2929591b6139b4607fbd173b3d1637c1231ad8dfe04d45aed
              • Instruction ID: 3768cb8ba294b0f4e224d377b712453c5f65cb99c78613fbc6c47c4d0a9587f7
              • Opcode Fuzzy Hash: ebd2450c6054fef2929591b6139b4607fbd173b3d1637c1231ad8dfe04d45aed
              • Instruction Fuzzy Hash: C9C10CB1E00229AFDF21DF95CC81EDEB7BDAF49310F0080A6F609E6152DB749A449F65
              Function 00073742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 957 73742-73762 959 73764-73767 957->959 960 737c2-737c4 957->960 962 73769-73770 959->962 963 737c8 959->963 960->959 961 737c6 960->961 964 737ab-737b3 DefWindowProcW 961->964 967 73776-7377b 962->967 968 7382c-73834 PostQuitMessage 962->968 965 737ce-737d1 963->965 966 e1e00-e1e2e call 72ff6 call 8e312 963->966 970 737b9-737bf 964->970 971 737f6-7381d SetTimer RegisterWindowMessageW 965->971 972 737d3-737d4 965->972 1000 e1e33-e1e3a 966->1000 974 e1e88-e1e9c call b4ddd 967->974 975 73781-73783 967->975 969 737f2-737f4 968->969 969->970 971->969 980 7381f-7382a CreatePopupMenu 971->980 977 e1da3-e1da6 972->977 978 737da-737ed KillTimer call 73847 call 7390f 972->978 974->969 994 e1ea2 974->994 981 73836-73845 call 8eb83 975->981 982 73789-7378e 975->982 987 e1ddc-e1dfb MoveWindow 977->987 988 e1da8-e1daa 977->988 978->969 980->969 981->969 983 e1e6d-e1e74 982->983 984 73794-73799 982->984 983->964 999 e1e7a-e1e83 call aa5f3 983->999 992 e1e58-e1e68 call b55bd 984->992 993 7379f-737a5 984->993 987->969 996 e1dac-e1daf 988->996 997 e1dcb-e1dd7 SetFocus 988->997 992->969 993->964 993->1000 994->964 996->993 1001 e1db5-e1dc6 call 72ff6 996->1001 997->969 999->964 1000->964 1005 e1e40-e1e53 call 73847 call 74ffc 1000->1005 1001->969 1005->964
              APIs
              • DefWindowProcW.USER32(?,?,?,?), ref: 000737B3
              • KillTimer.USER32(?,00000001), ref: 000737DD
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00073800
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0007380B
              • CreatePopupMenu.USER32 ref: 0007381F
              • PostQuitMessage.USER32(00000000), ref: 0007382E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
              • String ID: TaskbarCreated
              • API String ID: 129472671-2362178303
              • Opcode ID: 2f9f444c81d352f4817714e792a67ebf8f19cfc0a0ca9d5853c99214788c3977
              • Instruction ID: f4ed37b6a9139a3dbe4641c611d80788243d394cbcea01e4218297a06c453f36
              • Opcode Fuzzy Hash: 2f9f444c81d352f4817714e792a67ebf8f19cfc0a0ca9d5853c99214788c3977
              • Instruction Fuzzy Hash: 564117F590824AABFB385F68AD4ABBE3695F700300F048125F509E2591DB789E80F769
              Function 00073E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00073E79
              • LoadCursorW.USER32(00000000,00007F00), ref: 00073E88
              • LoadIconW.USER32(00000063), ref: 00073E9E
              • LoadIconW.USER32(000000A4), ref: 00073EB0
              • LoadIconW.USER32(000000A2), ref: 00073EC2
                • Part of subcall function 00074024: LoadImageW.USER32(00070000,00000063,00000001,00000010,00000010,00000000), ref: 00074048
              • RegisterClassExW.USER32(?), ref: 00073F30
                • Part of subcall function 00073F53: GetSysColorBrush.USER32(0000000F), ref: 00073F86
                • Part of subcall function 00073F53: RegisterClassExW.USER32(00000030), ref: 00073FB0
                • Part of subcall function 00073F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00073FC1
                • Part of subcall function 00073F53: InitCommonControlsEx.COMCTL32(?), ref: 00073FDE
                • Part of subcall function 00073F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00073FEE
                • Part of subcall function 00073F53: LoadIconW.USER32(000000A9), ref: 00074004
                • Part of subcall function 00073F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00074013
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
              • String ID: #$0$AutoIt v3
              • API String ID: 423443420-4155596026
              • Opcode ID: 759fc4d83e77942ee9e2a5b66bc7506302549b225682e824b645db08dee3b64c
              • Instruction ID: 179da690358eae36488a051399c40b82aee71e3b4cfefd5221f6920be64ba390
              • Opcode Fuzzy Hash: 759fc4d83e77942ee9e2a5b66bc7506302549b225682e824b645db08dee3b64c
              • Instruction Fuzzy Hash: B42132B0D04304BFDB14DFA9EC49A99BFF5FB48310F10812AE218A76A0D7754680DF95
              Function 0009ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1021 9acb3-9ace0 call 96ac0 call 97cf4 call 96986 1028 9acfd-9ad02 1021->1028 1029 9ace2-9acf8 call 9e880 1021->1029 1031 9ad08-9ad0f 1028->1031 1035 9af52-9af57 call 96b05 1029->1035 1033 9ad11-9ad40 1031->1033 1034 9ad42-9ad51 GetStartupInfoW 1031->1034 1033->1031 1036 9ae80-9ae86 1034->1036 1037 9ad57-9ad5c 1034->1037 1038 9ae8c-9ae9d 1036->1038 1039 9af44-9af50 call 9af58 1036->1039 1037->1036 1041 9ad62-9ad79 1037->1041 1042 9ae9f-9aea2 1038->1042 1043 9aeb2-9aeb8 1038->1043 1039->1035 1046 9ad7b-9ad7d 1041->1046 1047 9ad80-9ad83 1041->1047 1042->1043 1048 9aea4-9aead 1042->1048 1049 9aeba-9aebd 1043->1049 1050 9aebf-9aec6 1043->1050 1046->1047 1052 9ad86-9ad8c 1047->1052 1053 9af3e-9af3f 1048->1053 1054 9aec9-9aed5 GetStdHandle 1049->1054 1050->1054 1055 9adae-9adb6 1052->1055 1056 9ad8e-9ad9f call 96986 1052->1056 1053->1036 1059 9af1c-9af32 1054->1059 1060 9aed7-9aed9 1054->1060 1058 9adb9-9adbb 1055->1058 1065 9ae33-9ae3a 1056->1065 1066 9ada5-9adab 1056->1066 1058->1036 1063 9adc1-9adc6 1058->1063 1059->1053 1062 9af34-9af37 1059->1062 1060->1059 1064 9aedb-9aee4 GetFileType 1060->1064 1062->1053 1067 9adc8-9adcb 1063->1067 1068 9ae20-9ae31 1063->1068 1064->1059 1069 9aee6-9aef0 1064->1069 1073 9ae40-9ae4e 1065->1073 1066->1055 1067->1068 1070 9adcd-9add1 1067->1070 1068->1058 1071 9aefa-9aefd 1069->1071 1072 9aef2-9aef8 1069->1072 1070->1068 1074 9add3-9add5 1070->1074 1076 9af08-9af1a InitializeCriticalSectionAndSpinCount 1071->1076 1077 9aeff-9af03 1071->1077 1075 9af05 1072->1075 1078 9ae50-9ae72 1073->1078 1079 9ae74-9ae7b 1073->1079 1080 9ade5-9ae1a InitializeCriticalSectionAndSpinCount 1074->1080 1081 9add7-9ade3 GetFileType 1074->1081 1075->1076 1076->1053 1077->1075 1078->1073 1079->1052 1082 9ae1d 1080->1082 1081->1080 1081->1082 1082->1068
              APIs
              • __lock.LIBCMT ref: 0009ACC1
                • Part of subcall function 00097CF4: __mtinitlocknum.LIBCMT ref: 00097D06
                • Part of subcall function 00097CF4: EnterCriticalSection.KERNEL32(00000000,?,00097ADD,0000000D), ref: 00097D1F
              • __calloc_crt.LIBCMT ref: 0009ACD2
                • Part of subcall function 00096986: __calloc_impl.LIBCMT ref: 00096995
                • Part of subcall function 00096986: Sleep.KERNEL32(00000000,000003BC,0008F507,?,0000000E), ref: 000969AC
              • @_EH4_CallFilterFunc@8.LIBCMT ref: 0009ACED
              • GetStartupInfoW.KERNEL32(?,00126E28,00000064,00095E91,00126C70,00000014), ref: 0009AD46
              • __calloc_crt.LIBCMT ref: 0009AD91
              • GetFileType.KERNEL32(00000001), ref: 0009ADD8
              • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0009AE11
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
              • String ID:
              • API String ID: 1426640281-0
              • Opcode ID: 94b157c78f3a9d91267984ed5d531d08fbe3539af113c10a36bb38a423c468db
              • Instruction ID: a0ef6142be9eea78b9d1cc5bfa7576be8dcde2c5e219ddc21f65caa7ee629e30
              • Opcode Fuzzy Hash: 94b157c78f3a9d91267984ed5d531d08fbe3539af113c10a36bb38a423c468db
              • Instruction Fuzzy Hash: E881F671A053558FDF24CF68C8905ADBBF0AF0A324B24426DD4A6AB7D1C7349843EB96
              Function 0122EBE8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1083 122ebe8-122ec96 call 122c5d8 1086 122ec9d-122ecc3 call 122faf8 CreateFileW 1083->1086 1089 122ecc5 1086->1089 1090 122ecca-122ecda 1086->1090 1091 122ee15-122ee19 1089->1091 1095 122ece1-122ecfb VirtualAlloc 1090->1095 1096 122ecdc 1090->1096 1093 122ee5b-122ee5e 1091->1093 1094 122ee1b-122ee1f 1091->1094 1097 122ee61-122ee68 1093->1097 1098 122ee21-122ee24 1094->1098 1099 122ee2b-122ee2f 1094->1099 1102 122ed02-122ed19 ReadFile 1095->1102 1103 122ecfd 1095->1103 1096->1091 1104 122ee6a-122ee75 1097->1104 1105 122eebd-122eed2 1097->1105 1098->1099 1100 122ee31-122ee3b 1099->1100 1101 122ee3f-122ee43 1099->1101 1100->1101 1108 122ee53 1101->1108 1109 122ee45-122ee4f 1101->1109 1110 122ed20-122ed60 VirtualAlloc 1102->1110 1111 122ed1b 1102->1111 1103->1091 1112 122ee77 1104->1112 1113 122ee79-122ee85 1104->1113 1106 122eee2-122eeea 1105->1106 1107 122eed4-122eedf VirtualFree 1105->1107 1107->1106 1108->1093 1109->1108 1114 122ed62 1110->1114 1115 122ed67-122ed82 call 122fd48 1110->1115 1111->1091 1112->1105 1116 122ee87-122ee97 1113->1116 1117 122ee99-122eea5 1113->1117 1114->1091 1123 122ed8d-122ed97 1115->1123 1119 122eebb 1116->1119 1120 122eeb2-122eeb8 1117->1120 1121 122eea7-122eeb0 1117->1121 1119->1097 1120->1119 1121->1119 1124 122edca-122edde call 122fb58 1123->1124 1125 122ed99-122edc8 call 122fd48 1123->1125 1131 122ede2-122ede6 1124->1131 1132 122ede0 1124->1132 1125->1123 1133 122edf2-122edf6 1131->1133 1134 122ede8-122edec CloseHandle 1131->1134 1132->1091 1135 122ee06-122ee0f 1133->1135 1136 122edf8-122ee03 VirtualFree 1133->1136 1134->1133 1135->1086 1135->1091 1136->1135
              APIs
              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0122ECB9
              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0122EEDF
              Memory Dump Source
              • Source File: 00000000.00000002.1375166420.000000000122C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0122C000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_122c000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CreateFileFreeVirtual
              • String ID:
              • API String ID: 204039940-0
              • Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
              • Instruction ID: 41812154b81d6421fefe396ed6cc5a6fe2d07197aa3ce78891955590feeca0d1
              • Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
              • Instruction Fuzzy Hash: 71A12970E10219EBDB14CFA8C895BEEBBB5BF48314F208159E215BB281D7759A80DF90
              Function 000749FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1192 749fb-74a25 call 7bcce RegOpenKeyExW 1195 e41cc-e41e3 RegQueryValueExW 1192->1195 1196 74a2b-74a2f 1192->1196 1197 e4246-e424f RegCloseKey 1195->1197 1198 e41e5-e4222 call 8f4ea call 747b7 RegQueryValueExW 1195->1198 1203 e423d-e4245 call 747e2 1198->1203 1204 e4224-e423b call 76a63 1198->1204 1203->1197 1204->1203
              APIs
              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00074A1D
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 000E41DB
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 000E421A
              • RegCloseKey.ADVAPI32(?), ref: 000E4249
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: QueryValue$CloseOpen
              • String ID: Include$Software\AutoIt v3\AutoIt
              • API String ID: 1586453840-614718249
              • Opcode ID: 489e82b06505a0b64fe5521736e0d478c378a356e2aebd5f3f96f3a9d3302d7d
              • Instruction ID: 6c4f8de64ae8e4410ce046d68ff2fd93d003dc5c9d08b631ddb94dee587f0379
              • Opcode Fuzzy Hash: 489e82b06505a0b64fe5521736e0d478c378a356e2aebd5f3f96f3a9d3302d7d
              • Instruction Fuzzy Hash: 20113D71A00109BFEB04ABA4DD86EFF7BBCEF04344F004059B546E6191EBB4AE01EB54
              Function 000736B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1219 736b8-73728 CreateWindowExW * 2 ShowWindow * 2
              APIs
              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000736E6
              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00073707
              • ShowWindow.USER32(00000000,?,?,?,?,00073AA3,?), ref: 0007371B
              • ShowWindow.USER32(00000000,?,?,?,?,00073AA3,?), ref: 00073724
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$CreateShow
              • String ID: AutoIt v3$edit
              • API String ID: 1584632944-3779509399
              • Opcode ID: c0fdbc1087b754d79315f420997e5a644fb3273b53bdf593c7bda1a62b315bf5
              • Instruction ID: 1b78e0cb9bbd1bac6e30b52cdbb9c23fc7df60505c4c302edeef30beaed5a3e1
              • Opcode Fuzzy Hash: c0fdbc1087b754d79315f420997e5a644fb3273b53bdf593c7bda1a62b315bf5
              • Instruction Fuzzy Hash: 77F0FE716402D47AE7355B57AC4CE773E7EE7C6F20F00401FBA08A65B0D66508D5DAB0
              Function 0122E988 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1324 122e988-122eadc call 122c5d8 call 122e878 CreateFileW 1331 122eae3-122eaf3 1324->1331 1332 122eade 1324->1332 1335 122eaf5 1331->1335 1336 122eafa-122eb14 VirtualAlloc 1331->1336 1333 122eb93-122eb98 1332->1333 1335->1333 1337 122eb16 1336->1337 1338 122eb18-122eb2f ReadFile 1336->1338 1337->1333 1339 122eb33-122eb6d call 122e8b8 call 122d878 1338->1339 1340 122eb31 1338->1340 1345 122eb89-122eb91 ExitProcess 1339->1345 1346 122eb6f-122eb84 call 122e908 1339->1346 1340->1333 1345->1333 1346->1345
              APIs
                • Part of subcall function 0122E878: Sleep.KERNELBASE(000001F4), ref: 0122E889
              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0122EAD2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1375166420.000000000122C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0122C000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_122c000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CreateFileSleep
              • String ID: 5P6CW9FK9VYE1DYOXZVG54VK
              • API String ID: 2694422964-1301391613
              • Opcode ID: 5bdb3307aead30f19a8dd7319e14cc662c503e8cae0cb94bd1cf8be9d8123d1b
              • Instruction ID: 21616963cb0fcbb99ce4c7d5e96705b103ee67c02379ba692c1a0f17239f212f
              • Opcode Fuzzy Hash: 5bdb3307aead30f19a8dd7319e14cc662c503e8cae0cb94bd1cf8be9d8123d1b
              • Instruction Fuzzy Hash: CF619130D14299EBEF11DBA4D844BEFBBB5AF15300F004199E209BB2C1D7BA4B45CB66
              Function 000751AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0007522F
              • _wcscpy.LIBCMT ref: 00075283
              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00075293
              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 000E3CB0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: IconLoadNotifyShell_String_memset_wcscpy
              • String ID: Line:
              • API String ID: 1053898822-1585850449
              • Opcode ID: 4720482a5ceaf1a89a4f03f8a46faf4847c3732620a992730b4f3a204aed5a11
              • Instruction ID: 68f94da3da91362903b4c98d493bf777d4ebed7bb33c8583ac00f48c97d1bf00
              • Opcode Fuzzy Hash: 4720482a5ceaf1a89a4f03f8a46faf4847c3732620a992730b4f3a204aed5a11
              • Instruction Fuzzy Hash: 7231AF71808740AFD724EB60DC46FDE77D8AF45311F00851EF59D92092EBB8A689CB9A
              Function 00074139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000741A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,000739FE,?,00000001), ref: 000741DB
              • _free.LIBCMT ref: 000E36B7
              • _free.LIBCMT ref: 000E36FE
                • Part of subcall function 0007C833: __wsplitpath.LIBCMT ref: 0007C93E
                • Part of subcall function 0007C833: _wcscpy.LIBCMT ref: 0007C953
                • Part of subcall function 0007C833: _wcscat.LIBCMT ref: 0007C968
                • Part of subcall function 0007C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0007C978
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
              • API String ID: 805182592-1757145024
              • Opcode ID: c789256e24f0f3a80243bfefc5df140b8f6497d88b5c149e9b3f27031d9f3a58
              • Instruction ID: 802f9ef542ad6b8a3f3273d035c86e632861500617802cbb3194445d0be7a338
              • Opcode Fuzzy Hash: c789256e24f0f3a80243bfefc5df140b8f6497d88b5c149e9b3f27031d9f3a58
              • Instruction Fuzzy Hash: 3B919171910259EFCF14EFA5CC959EEBBB4BF08310F40842AF416BB292DB74AA04CB54
              Function 00074A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00075374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00131148,?,000761FF,?,00000000,00000001,00000000), ref: 00075392
                • Part of subcall function 000749FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00074A1D
              • _wcscat.LIBCMT ref: 000E2D80
              • _wcscat.LIBCMT ref: 000E2DB5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: _wcscat$FileModuleNameOpen
              • String ID: \$\Include\
              • API String ID: 3592542968-2640467822
              • Opcode ID: 34ae2dbefc3d67cd83e91b8632a2a12d77c81d7f608308054ca8e5626449ec77
              • Instruction ID: 55401dd6e328a6781308f961f3a1848b331c58d9a8ae21e193c003ae35ea335e
              • Opcode Fuzzy Hash: 34ae2dbefc3d67cd83e91b8632a2a12d77c81d7f608308054ca8e5626449ec77
              • Instruction Fuzzy Hash: 1A51B8B18043409FC714FF55EE818DAB3F8FF59300B44852EF68993661EB749588CB56
              Function 000934AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
              Download Yara Rule
              APIs
              • __getstream.LIBCMT ref: 000934FE
                • Part of subcall function 00097C0E: __getptd_noexit.LIBCMT ref: 00097C0E
              • @_EH4_CallFilterFunc@8.LIBCMT ref: 00093539
              • __wopenfile.LIBCMT ref: 00093549
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
              • String ID: <G
              • API String ID: 1820251861-2138716496
              • Opcode ID: d9ab440a5790b33d5e4739dba16894887884c2fd0ef5861073584f1a6c1e7223
              • Instruction ID: 1c431a6e896873f1aa15e99aa272d0de22180b01567fec2916050f22c80f1f5b
              • Opcode Fuzzy Hash: d9ab440a5790b33d5e4739dba16894887884c2fd0ef5861073584f1a6c1e7223
              • Instruction Fuzzy Hash: B7110A71A00206DBDF61BFB09C426EF36E4AF05750B168425E819C7182EB34DE11BBA1
              Function 0008D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0008D28B,SwapMouseButtons,00000004,?), ref: 0008D2BC
              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0008D28B,SwapMouseButtons,00000004,?,?,?,?,0008C865), ref: 0008D2DD
              • RegCloseKey.KERNELBASE(00000000,?,?,0008D28B,SwapMouseButtons,00000004,?,?,?,?,0008C865), ref: 0008D2FF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CloseOpenQueryValue
              • String ID: Control Panel\Mouse
              • API String ID: 3677997916-824357125
              • Opcode ID: 6d65b2643f2f2244ae1ddf830f7f79e9e2754fe07464678bb20845d08c10fa6a
              • Instruction ID: 82a713cd7976e8160a9ff5b255d8ed5056e434d04333d177f9ab8c0a8ecf1b4d
              • Opcode Fuzzy Hash: 6d65b2643f2f2244ae1ddf830f7f79e9e2754fe07464678bb20845d08c10fa6a
              • Instruction Fuzzy Hash: CE112775611208BFEB20AFA4CC88EAE7BF8EF44754B10456AB845D7150EA31AE41AB60
              Function 0122D878 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNELBASE(?,00000000), ref: 0122E033
              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0122E0C9
              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0122E0EB
              Memory Dump Source
              • Source File: 00000000.00000002.1375166420.000000000122C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0122C000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_122c000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Process$ContextCreateMemoryReadThreadWow64
              • String ID:
              • API String ID: 2438371351-0
              • Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
              • Instruction ID: e919d282742c7ca61f3868e41de1f9164687748278e72aa814e507e6f43cd2e3
              • Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
              • Instruction Fuzzy Hash: A962FE30A242589BEB24DFA4C851BEEB772FF58300F1091A9D20DEB394E7759E81CB55
              Function 000BC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00074517: _fseek.LIBCMT ref: 0007452F
                • Part of subcall function 000BC56D: _wcscmp.LIBCMT ref: 000BC65D
                • Part of subcall function 000BC56D: _wcscmp.LIBCMT ref: 000BC670
              • _free.LIBCMT ref: 000BC4DD
              • _free.LIBCMT ref: 000BC4E4
              • _free.LIBCMT ref: 000BC54F
                • Part of subcall function 00091C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00097A85), ref: 00091CB1
                • Part of subcall function 00091C9D: GetLastError.KERNEL32(00000000,?,00097A85), ref: 00091CC3
              • _free.LIBCMT ref: 000BC557
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
              • String ID:
              • API String ID: 1552873950-0
              • Opcode ID: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
              • Instruction ID: d5e5b9de24a1a2a367048c45b63667cf6d471c1547c528d2eb0f35d77cf1313b
              • Opcode Fuzzy Hash: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
              • Instruction Fuzzy Hash: 9C514DB1904219AFDF249F64DC81BEDBBB9EF48300F1040AEB25DA3242DB715A808F58
              Function 000740E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000E3725
              • GetOpenFileNameW.COMDLG32 ref: 000E376F
                • Part of subcall function 0007660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000753B1,?,?,000761FF,?,00000000,00000001,00000000), ref: 0007662F
                • Part of subcall function 000740A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000740C6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Name$Path$FileFullLongOpen_memset
              • String ID: X
              • API String ID: 3777226403-3081909835
              • Opcode ID: a4bcba98718f6734bc46ff8d5593b1643074c3920e36aeb06ad28e993d0f4329
              • Instruction ID: 47343774fecb53c73c17d7581cdad2b45ee0fb42c01d65315e208fb77bb172d4
              • Opcode Fuzzy Hash: a4bcba98718f6734bc46ff8d5593b1643074c3920e36aeb06ad28e993d0f4329
              • Instruction Fuzzy Hash: 8F21D871E10298AFCF51DF94D8457EE7BF89F49300F00805AE409F7241DBB85A898F65
              Function 000BC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
              Download Yara Rule
              APIs
              • GetTempPathW.KERNEL32(00000104,?), ref: 000BC72F
              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 000BC746
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Temp$FileNamePath
              • String ID: aut
              • API String ID: 3285503233-3010740371
              • Opcode ID: 74754394f830d0cf91db7749818c9e6a2fea44cec4be519ea30ab383f4901f9f
              • Instruction ID: 6c713b289231482fd6049ab1981232977c9b3f754548c3c1c515b4427a062a6d
              • Opcode Fuzzy Hash: 74754394f830d0cf91db7749818c9e6a2fea44cec4be519ea30ab383f4901f9f
              • Instruction Fuzzy Hash: CDD05E7150030EABEB50AB90EC0EF9A776C9710708F0001A17690E50B1DBB9E699CB94
              Function 000CF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0f82bd8f31bfa884cd78c6318d748a98e8074986a608bc820cb598fe89893208
              • Instruction ID: 287c5455babbbb93cc5cbe589787620a944a1b3f19e359c2e38104ff45c61177
              • Opcode Fuzzy Hash: 0f82bd8f31bfa884cd78c6318d748a98e8074986a608bc820cb598fe89893208
              • Instruction Fuzzy Hash: D0F14A716043029FD710DF24C481BAEB7E6FF88314F14892EF9999B292DB74E945CB82
              Function 00074FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00075022
              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 000750CB
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: IconNotifyShell__memset
              • String ID:
              • API String ID: 928536360-0
              • Opcode ID: 2cb23fcc584a779981fc0ac985a82823cd5f65140213be1279c9515cbc2009c4
              • Instruction ID: 917cc30868bbdeb88c71d5b9c464ad999aa4db146ffd2d232c689608e79124b5
              • Opcode Fuzzy Hash: 2cb23fcc584a779981fc0ac985a82823cd5f65140213be1279c9515cbc2009c4
              • Instruction Fuzzy Hash: C3319AB0A04B00DFD761DF24D8456DBBBE8FB48309F00492EF59E87241E7B5A984CB96
              Function 0009395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __FF_MSGBANNER.LIBCMT ref: 00093973
                • Part of subcall function 000981C2: __NMSG_WRITE.LIBCMT ref: 000981E9
                • Part of subcall function 000981C2: __NMSG_WRITE.LIBCMT ref: 000981F3
              • __NMSG_WRITE.LIBCMT ref: 0009397A
                • Part of subcall function 0009821F: GetModuleFileNameW.KERNEL32(00000000,00130312,00000104,00000000,00000001,00000000), ref: 000982B1
                • Part of subcall function 0009821F: ___crtMessageBoxW.LIBCMT ref: 0009835F
                • Part of subcall function 00091145: ___crtCorExitProcess.LIBCMT ref: 0009114B
                • Part of subcall function 00091145: ExitProcess.KERNEL32 ref: 00091154
                • Part of subcall function 00097C0E: __getptd_noexit.LIBCMT ref: 00097C0E
              • RtlAllocateHeap.NTDLL(01010000,00000000,00000001,00000001,00000000,?,?,0008F507,?,0000000E), ref: 0009399F
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
              • String ID:
              • API String ID: 1372826849-0
              • Opcode ID: 21bd2714d55f47c5ee0f4f38e6b19390829833c48e215d79fb3f93df7ef9032e
              • Instruction ID: a01754f136e5ea0814cdb8aaf189d790ee81c5fd90d55fbe431ed28e6a927d2b
              • Opcode Fuzzy Hash: 21bd2714d55f47c5ee0f4f38e6b19390829833c48e215d79fb3f93df7ef9032e
              • Instruction Fuzzy Hash: 5301B9323452019AEE623B24DC56BAE33C89B81764F211029F519976D3DFB0DD40AA60
              Function 000BC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,000BC385,?,?,?,?,?,00000004), ref: 000BC6F2
              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,000BC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 000BC708
              • CloseHandle.KERNEL32(00000000,?,000BC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 000BC70F
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: File$CloseCreateHandleTime
              • String ID:
              • API String ID: 3397143404-0
              • Opcode ID: 88c365df8c9d1fac5a9d8b8a0830f148a3ea0688e897fea01a26bbf0359fac22
              • Instruction ID: fb08533cf018fe6ab9cac82621f1495eab377ec83f1287e79aed2382937f2256
              • Opcode Fuzzy Hash: 88c365df8c9d1fac5a9d8b8a0830f148a3ea0688e897fea01a26bbf0359fac22
              • Instruction Fuzzy Hash: 80E08632180214B7F7211B54AC0DFDE7B59AB05764F104111FB14790E097B52621D798
              Function 000BBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 000BBB72
                • Part of subcall function 00091C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00097A85), ref: 00091CB1
                • Part of subcall function 00091C9D: GetLastError.KERNEL32(00000000,?,00097A85), ref: 00091CC3
              • _free.LIBCMT ref: 000BBB83
              • _free.LIBCMT ref: 000BBB95
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
              • Instruction ID: beb441729edfcdf6ccfabd8d183b925a70b66145569152ff6e04891110cb5626
              • Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
              • Instruction Fuzzy Hash: EFE017F174174287DE64A679AE48EF723CC4F44361B14081EB569E7187CFA4E84099A8
              Function 00072322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000722A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,000724F1), ref: 00072303
              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 000725A1
              • CoInitialize.OLE32(00000000), ref: 00072618
              • CloseHandle.KERNEL32(00000000), ref: 000E503A
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Handle$CloseInitializeMessageRegisterWindow
              • String ID:
              • API String ID: 3815369404-0
              • Opcode ID: c5fcf81d6dd9859636ab839873c3d36f1324cae5b9059251b82b4c7cd6e28cc0
              • Instruction ID: a36d8e5de186eaf151f421ca23c5e901b53238628235c10fe04cb61e755d4d2c
              • Opcode Fuzzy Hash: c5fcf81d6dd9859636ab839873c3d36f1324cae5b9059251b82b4c7cd6e28cc0
              • Instruction Fuzzy Hash: FD71CFB4901281FBC704EF6AEA9049ABBF4FB593507A0852ED50AD7F72DB744485CF18
              Function 00073A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
              Download Yara Rule
              APIs
              • IsThemeActive.UXTHEME ref: 00073A73
                • Part of subcall function 00091405: __lock.LIBCMT ref: 0009140B
                • Part of subcall function 00073ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00073AF3
                • Part of subcall function 00073ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00073B08
                • Part of subcall function 00073D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00073AA3,?), ref: 00073D45
                • Part of subcall function 00073D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00073AA3,?), ref: 00073D57
                • Part of subcall function 00073D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00131148,00131130,?,?,?,?,00073AA3,?), ref: 00073DC8
                • Part of subcall function 00073D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00073AA3,?), ref: 00073E48
              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00073AB3
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
              • String ID:
              • API String ID: 924797094-0
              • Opcode ID: 4db57ffbcac74c6a5db79a1bf02e5f357ff7336fe423bb81a54c91794369749d
              • Instruction ID: 2f8fdd384b0dfef0e28a90b26a4a688e26140643a681323138d2142b934df9cc
              • Opcode Fuzzy Hash: 4db57ffbcac74c6a5db79a1bf02e5f357ff7336fe423bb81a54c91794369749d
              • Instruction Fuzzy Hash: 15119D71A08341AFC304EF69EC4599EFBE9FB95750F00891FF588876A2DB709584CB92
              Function 0009E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • ___lock_fhandle.LIBCMT ref: 0009EA29
              • __close_nolock.LIBCMT ref: 0009EA42
                • Part of subcall function 00097BDA: __getptd_noexit.LIBCMT ref: 00097BDA
                • Part of subcall function 00097C0E: __getptd_noexit.LIBCMT ref: 00097C0E
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: __getptd_noexit$___lock_fhandle__close_nolock
              • String ID:
              • API String ID: 1046115767-0
              • Opcode ID: 191950658f031d16918e11381d3d37f37233c7090e5006a4ee7e524976b01d04
              • Instruction ID: 16147296b62d7a5825722cb192a2da234d7ba029ba267b8b11ddab8a2fc0fef8
              • Opcode Fuzzy Hash: 191950658f031d16918e11381d3d37f37233c7090e5006a4ee7e524976b01d04
              • Instruction Fuzzy Hash: 261186729156908ADF22FF64D84239D7A916F41331F264344E4245F1F3CBB59D40B7A6
              Function 0008F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0009395C: __FF_MSGBANNER.LIBCMT ref: 00093973
                • Part of subcall function 0009395C: __NMSG_WRITE.LIBCMT ref: 0009397A
                • Part of subcall function 0009395C: RtlAllocateHeap.NTDLL(01010000,00000000,00000001,00000001,00000000,?,?,0008F507,?,0000000E), ref: 0009399F
              • std::exception::exception.LIBCMT ref: 0008F51E
              • __CxxThrowException@8.LIBCMT ref: 0008F533
                • Part of subcall function 00096805: RaiseException.KERNEL32(?,?,0000000E,00126A30,?,?,?,0008F538,0000000E,00126A30,?,00000001), ref: 00096856
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
              • String ID:
              • API String ID: 3902256705-0
              • Opcode ID: e556283734dc6b64f1de8ae1d3388838ec4225a29830538b6339da66ae138869
              • Instruction ID: 2ca5c3d00591013f052617d66a6094eab4ef5e5dfec0e6a8b0cfde52df4c9952
              • Opcode Fuzzy Hash: e556283734dc6b64f1de8ae1d3388838ec4225a29830538b6339da66ae138869
              • Instruction Fuzzy Hash: 22F0AF3110421FA7DB04BFA8E8029FE77E8AF04354F604126FA4892182DFB59750A7AA
              Function 000935E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00097C0E: __getptd_noexit.LIBCMT ref: 00097C0E
              • __lock_file.LIBCMT ref: 00093629
                • Part of subcall function 00094E1C: __lock.LIBCMT ref: 00094E3F
              • __fclose_nolock.LIBCMT ref: 00093634
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
              • String ID:
              • API String ID: 2800547568-0
              • Opcode ID: fdbc915fc1483a78c16fe43f9e19d2720aaf791c7e59c51c5e0e706e29472f79
              • Instruction ID: fb73bb330b90055ce5a6a9722e7c83fee41d6483e13cf136e058bd7f5641923c
              • Opcode Fuzzy Hash: fdbc915fc1483a78c16fe43f9e19d2720aaf791c7e59c51c5e0e706e29472f79
              • Instruction Fuzzy Hash: 49F0B472905604AADF21BFA588027AF7AE06F41730F25C108E425EB2C3CB7C8A01BF55
              Function 0122D875 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNELBASE(?,00000000), ref: 0122E033
              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0122E0C9
              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0122E0EB
              Memory Dump Source
              • Source File: 00000000.00000002.1375166420.000000000122C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0122C000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_122c000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Process$ContextCreateMemoryReadThreadWow64
              • String ID:
              • API String ID: 2438371351-0
              • Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
              • Instruction ID: 82dfae5c6fce5d743fede647b631865ac1f4ecd2cd3c31b0cf14940ca026592a
              • Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
              • Instruction Fuzzy Hash: 6512BE24A24658C6EB24DF64D8507DEB232EF68300F1091E9D10DEB7A5E77A4F81CF5A
              Function 00092957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
              Download Yara Rule
              APIs
              • __flush.LIBCMT ref: 00092A0B
                • Part of subcall function 00097C0E: __getptd_noexit.LIBCMT ref: 00097C0E
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: __flush__getptd_noexit
              • String ID:
              • API String ID: 4101623367-0
              • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
              • Instruction ID: 89df414c497f60468da263cbddf1b03c09bf8212ded4f118d90495cfb7c663a8
              • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
              • Instruction Fuzzy Hash: E541A172700706BFDF78CEA9C8805AE7BE6AF45360F24853DE855C7241EA70DD85AB41
              Function 0008ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ProtectVirtual
              • String ID:
              • API String ID: 544645111-0
              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction ID: 346e4be382deb12d9943a0425455b3ba85eefffbcafc5baaaa84b300418a9c67
              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction Fuzzy Hash: D931E470A00245DBC758EF58C480A69FBE6FF59340B6486A5E48ACB366DB30EDC5CB80
              Function 000E9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: 1a03c04b9ea017d24fe72d24de3d48628c6d04c0f62b42c29acab820df0dd057
              • Instruction ID: 57fc2f568dffd56e8a2c58725453ceb93bb41675e83c09bee76d59fdb2338fdc
              • Opcode Fuzzy Hash: 1a03c04b9ea017d24fe72d24de3d48628c6d04c0f62b42c29acab820df0dd057
              • Instruction Fuzzy Hash: 304127705046518FDB64DF29C484B2ABBE0BF45304F1989ACE9DA5B362C376E886CF52
              Function 000741A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00074214: FreeLibrary.KERNEL32(00000000,?), ref: 00074247
              • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,000739FE,?,00000001), ref: 000741DB
                • Part of subcall function 00074291: FreeLibrary.KERNEL32(00000000), ref: 000742C4
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Library$Free$Load
              • String ID:
              • API String ID: 2391024519-0
              • Opcode ID: 0dd82b13a06f02192ec2804cefd0bd0c7a01cb379eb29a37d53a8353e5bc2ef7
              • Instruction ID: ff888f1a3f016783ab232d29e0ebfd184858e00d7cebaec55b7c3d13cb51340a
              • Opcode Fuzzy Hash: 0dd82b13a06f02192ec2804cefd0bd0c7a01cb379eb29a37d53a8353e5bc2ef7
              • Instruction Fuzzy Hash: A5119431A00206AADF14AB64DC06BEE77E99F40700F50C429F59AA61C3DB789A219B64
              Function 000E9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: 9533828e6dc6e895d322ff09569496d4a6a9b9a9749854d48640b9ec0eff83f6
              • Instruction ID: 03d02b0d9ec747817557db2a7b61e04294f796a903383196e10fd83e108ae19c
              • Opcode Fuzzy Hash: 9533828e6dc6e895d322ff09569496d4a6a9b9a9749854d48640b9ec0eff83f6
              • Instruction Fuzzy Hash: CA212670508701CFDB64EF64C444A6ABBE1BF89304F15496CEADA57262D731F849CF52
              Function 0009AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • ___lock_fhandle.LIBCMT ref: 0009AFC0
                • Part of subcall function 00097BDA: __getptd_noexit.LIBCMT ref: 00097BDA
                • Part of subcall function 00097C0E: __getptd_noexit.LIBCMT ref: 00097C0E
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: __getptd_noexit$___lock_fhandle
              • String ID:
              • API String ID: 1144279405-0
              • Opcode ID: 91800152033a29df5b83fc0b91b3b3ba43cd6da4f02cf9dcb685d29f42ce78aa
              • Instruction ID: 857397014c3e7268985c905cfdac357e8757f2bb4bddf85756ff0595b1854abe
              • Opcode Fuzzy Hash: 91800152033a29df5b83fc0b91b3b3ba43cd6da4f02cf9dcb685d29f42ce78aa
              • Instruction Fuzzy Hash: 0F11C4B39146008FDF227FA4E90639E36A0AF82331F264240E4381F1E3D7B58D40BBA1
              Function 000739DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
              • Instruction ID: f378ca6a85c819574c65e7d4d081805d382a8cb874ebd5249bd8061ee2f43838
              • Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
              • Instruction Fuzzy Hash: 4501863190010DAEDF04EF64C8828EEBBB8EF10304F40C065B51697196EB309A59DB64
              Function 00092AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
              Download Yara Rule
              APIs
              • __lock_file.LIBCMT ref: 00092AED
                • Part of subcall function 00097C0E: __getptd_noexit.LIBCMT ref: 00097C0E
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: __getptd_noexit__lock_file
              • String ID:
              • API String ID: 2597487223-0
              • Opcode ID: d8dddada73806c6da01712cdcb98a0bfcd5d7d39ad1ba76c7e6159513aaac31e
              • Instruction ID: 3700fedc4d84cccbe0b5686775e3a55821abf7a7a9b1b2d04edade104e06d8d5
              • Opcode Fuzzy Hash: d8dddada73806c6da01712cdcb98a0bfcd5d7d39ad1ba76c7e6159513aaac31e
              • Instruction Fuzzy Hash: 10F06D32900205FBDF22AF648C067DF3AA5BF00320F168415F8149A1A2D7798A66FB52
              Function 00074252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
              Download Yara Rule
              APIs
              • FreeLibrary.KERNEL32(?,?,?,?,?,000739FE,?,00000001), ref: 00074286
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: FreeLibrary
              • String ID:
              • API String ID: 3664257935-0
              • Opcode ID: 33d1e1acae458588f86d4510b8ed884df09f512d096ff7b2f29d4f2c9e5dc7ad
              • Instruction ID: 96d6c0ec3c7728b3d8a54869603ee462129900209d29beb59870a6a883d0b997
              • Opcode Fuzzy Hash: 33d1e1acae458588f86d4510b8ed884df09f512d096ff7b2f29d4f2c9e5dc7ad
              • Instruction Fuzzy Hash: 79F0A070804701DFCB348F60D480816B7F4BF04315321CA3EF1DA82912C7359850DF44
              Function 000740A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
              Download Yara Rule
              APIs
              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000740C6
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: LongNamePath
              • String ID:
              • API String ID: 82841172-0
              • Opcode ID: fb7db8c88f9edf28dccee14ef74732825e583e6f750c06f755a00322e0c6e244
              • Instruction ID: 81cafaa37e82ea791e1b9e82861ac37880335f863f32d5463e9ed8ce9203a926
              • Opcode Fuzzy Hash: fb7db8c88f9edf28dccee14ef74732825e583e6f750c06f755a00322e0c6e244
              • Instruction Fuzzy Hash: 0EE0CD369001246BC7119754CC46FFB779DDF88690F094075F909D7245DD64D9819690
              Function 0122E874 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNELBASE(000001F4), ref: 0122E889
              Memory Dump Source
              • Source File: 00000000.00000002.1375166420.000000000122C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0122C000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_122c000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Sleep
              • String ID:
              • API String ID: 3472027048-0
              • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
              • Instruction ID: eba4be9f3bd6cf9bad52914205305f1374b0767796bf3dde9bcc7c19f71274ec
              • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
              • Instruction Fuzzy Hash: 5CE0BF7494010DEFDB00DFA4D5496DD7BB4EF04301F1005A1FD05D7690DB709E549A62
              Function 0122E878 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNELBASE(000001F4), ref: 0122E889
              Memory Dump Source
              • Source File: 00000000.00000002.1375166420.000000000122C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0122C000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_122c000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Sleep
              • String ID:
              • API String ID: 3472027048-0
              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
              • Instruction ID: c1c8f2827a927352484143930114cd99f66aa4365eedec2d81d0f070bd04b5c8
              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
              • Instruction Fuzzy Hash: FDE0E67494010DEFDB00DFB4D54969D7BB4EF04301F100161FD01D2280D6709D509A62

              Non-executed Functions

              Function 000DF7FF Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 630windowkeyboardCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008B34E: GetWindowLongW.USER32(?,000000EB), ref: 0008B35F
              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 000DF87D
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000DF8DC
              • GetWindowLongW.USER32(?,000000F0), ref: 000DF919
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000DF940
              • SendMessageW.USER32 ref: 000DF966
              • _wcsncpy.LIBCMT ref: 000DF9D2
              • GetKeyState.USER32(00000011), ref: 000DF9F3
              • GetKeyState.USER32(00000009), ref: 000DFA00
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000DFA16
              • GetKeyState.USER32(00000010), ref: 000DFA20
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000DFA4F
              • SendMessageW.USER32 ref: 000DFA72
              • SendMessageW.USER32(?,00001030,?,000DE059), ref: 000DFB6F
              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 000DFB85
              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 000DFB96
              • SetCapture.USER32(?), ref: 000DFB9F
              • ClientToScreen.USER32(?,?), ref: 000DFC03
              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 000DFC0F
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 000DFC29
              • ReleaseCapture.USER32 ref: 000DFC34
              • GetCursorPos.USER32(?), ref: 000DFC69
              • ScreenToClient.USER32(?,?), ref: 000DFC76
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 000DFCD8
              • SendMessageW.USER32 ref: 000DFD02
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 000DFD41
              • SendMessageW.USER32 ref: 000DFD6C
              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 000DFD84
              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 000DFD8F
              • GetCursorPos.USER32(?), ref: 000DFDB0
              • ScreenToClient.USER32(?,?), ref: 000DFDBD
              • GetParent.USER32(?), ref: 000DFDD9
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 000DFE3F
              • SendMessageW.USER32 ref: 000DFE6F
              • ClientToScreen.USER32(?,?), ref: 000DFEC5
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 000DFEF1
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 000DFF19
              • SendMessageW.USER32 ref: 000DFF3C
              • ClientToScreen.USER32(?,?), ref: 000DFF86
              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 000DFFB6
              • GetWindowLongW.USER32(?,000000F0), ref: 000E004B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
              • String ID: @GUI_DRAGID$@U=u$F
              • API String ID: 2516578528-1007936534
              • Opcode ID: 64e71473874b5152c2123dc6754170a94bdf98dcfa3793fd0df818199b838ada
              • Instruction ID: 19205b100bbad5ced774ac3dd74d18d3373af9ab7e86cbf8fca3319ee5034912
              • Opcode Fuzzy Hash: 64e71473874b5152c2123dc6754170a94bdf98dcfa3793fd0df818199b838ada
              • Instruction Fuzzy Hash: 3032BC70604342AFDB20DF64C884BBABBE5FF49354F14462AF596872A1CB71DD40EB62
              Function 000DAACE Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 574windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 000DB1CD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: %d/%02d/%02d$@U=u
              • API String ID: 3850602802-2764005415
              • Opcode ID: 4a56193ef28f1beeb852feee02012a3b5a09b28c8ca55690983c8d95dda7a679
              • Instruction ID: ab308fecc62f859cd57214ac5b741eb97bbf2b3c49f96be673b88b31656d3643
              • Opcode Fuzzy Hash: 4a56193ef28f1beeb852feee02012a3b5a09b28c8ca55690983c8d95dda7a679
              • Instruction Fuzzy Hash: 3912AD71600308ABEB249F64CC49FAE7BF9FF46720F10412AF919DA2D1DBB48941DB61
              Function 0008EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(00000000,00000000), ref: 0008EB4A
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000E3AEA
              • IsIconic.USER32(000000FF), ref: 000E3AF3
              • ShowWindow.USER32(000000FF,00000009), ref: 000E3B00
              • SetForegroundWindow.USER32(000000FF), ref: 000E3B0A
              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000E3B20
              • GetCurrentThreadId.KERNEL32 ref: 000E3B27
              • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 000E3B33
              • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 000E3B44
              • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 000E3B4C
              • AttachThreadInput.USER32(00000000,?,00000001), ref: 000E3B54
              • SetForegroundWindow.USER32(000000FF), ref: 000E3B57
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 000E3B6C
              • keybd_event.USER32(00000012,00000000), ref: 000E3B77
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 000E3B81
              • keybd_event.USER32(00000012,00000000), ref: 000E3B86
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 000E3B8F
              • keybd_event.USER32(00000012,00000000), ref: 000E3B94
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 000E3B9E
              • keybd_event.USER32(00000012,00000000), ref: 000E3BA3
              • SetForegroundWindow.USER32(000000FF), ref: 000E3BA6
              • AttachThreadInput.USER32(000000FF,?,00000000), ref: 000E3BCD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
              • String ID: Shell_TrayWnd
              • API String ID: 4125248594-2988720461
              • Opcode ID: 49b4d774ef78a0097fd78bb55b01bd87c263cf16568f6179b75298465170a305
              • Instruction ID: 244af5fa1f3786e52af0458a843a3a3c1daf0d00abad539f702a983de5afb88a
              • Opcode Fuzzy Hash: 49b4d774ef78a0097fd78bb55b01bd87c263cf16568f6179b75298465170a305
              • Instruction Fuzzy Hash: 8D315E71A40318BFFB216B669C49F7F7E6DEB44B50F104026FA05EB1D0DBB55900EAA0
              Function 000AACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000AB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000AB180
                • Part of subcall function 000AB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000AB1AD
                • Part of subcall function 000AB134: GetLastError.KERNEL32 ref: 000AB1BA
              • _memset.LIBCMT ref: 000AAD08
              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 000AAD5A
              • CloseHandle.KERNEL32(?), ref: 000AAD6B
              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 000AAD82
              • GetProcessWindowStation.USER32 ref: 000AAD9B
              • SetProcessWindowStation.USER32(00000000), ref: 000AADA5
              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 000AADBF
                • Part of subcall function 000AAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000AACC0), ref: 000AAB99
                • Part of subcall function 000AAB84: CloseHandle.KERNEL32(?,?,000AACC0), ref: 000AABAB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
              • String ID: $default$winsta0
              • API String ID: 2063423040-1027155976
              • Opcode ID: f56a9bc1b146ed5f8a7bff4d59a605bb83ecbd18e988e41e420073eb856b688f
              • Instruction ID: 14912a2b2d86867aa2f3197cd645a234a2ba9ebdc98de9a91b65c1214067dbf0
              • Opcode Fuzzy Hash: f56a9bc1b146ed5f8a7bff4d59a605bb83ecbd18e988e41e420073eb856b688f
              • Instruction Fuzzy Hash: DD81A071A00209AFEF11DFE4CD45AEEBBB9FF06304F04412AF914A65A1D7358E54EB61
              Function 000B60DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000B6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000B5FA6,?), ref: 000B6ED8
                • Part of subcall function 000B6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000B5FA6,?), ref: 000B6EF1
                • Part of subcall function 000B725E: __wsplitpath.LIBCMT ref: 000B727B
                • Part of subcall function 000B725E: __wsplitpath.LIBCMT ref: 000B728E
                • Part of subcall function 000B72CB: GetFileAttributesW.KERNEL32(?,000B6019), ref: 000B72CC
              • _wcscat.LIBCMT ref: 000B6149
              • _wcscat.LIBCMT ref: 000B6167
              • __wsplitpath.LIBCMT ref: 000B618E
              • FindFirstFileW.KERNEL32(?,?), ref: 000B61A4
              • _wcscpy.LIBCMT ref: 000B6209
              • _wcscat.LIBCMT ref: 000B621C
              • _wcscat.LIBCMT ref: 000B622F
              • lstrcmpiW.KERNEL32(?,?), ref: 000B625D
              • DeleteFileW.KERNEL32(?), ref: 000B626E
              • MoveFileW.KERNEL32(?,?), ref: 000B6289
              • MoveFileW.KERNEL32(?,?), ref: 000B6298
              • CopyFileW.KERNEL32(?,?,00000000), ref: 000B62AD
              • DeleteFileW.KERNEL32(?), ref: 000B62BE
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 000B62E1
              • FindClose.KERNEL32(00000000), ref: 000B62FD
              • FindClose.KERNEL32(00000000), ref: 000B630B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
              • String ID: \*.*
              • API String ID: 1917200108-1173974218
              • Opcode ID: eea176a5422e71bf43e8ce8bfe2266653f69d7704b4a50248b00eb69d383968d
              • Instruction ID: 20e11015569c8cf9e1300b8c4b4055850d2035fc6987181e219313835d60aa84
              • Opcode Fuzzy Hash: eea176a5422e71bf43e8ce8bfe2266653f69d7704b4a50248b00eb69d383968d
              • Instruction Fuzzy Hash: 40511EB280811C6ADB21EBA5CC44DEF77FCAF15300F0901E6E585E2142DE3A9789DFA4
              Function 000C6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
              Download Yara Rule
              APIs
              • OpenClipboard.USER32(0010DC00), ref: 000C6B36
              • IsClipboardFormatAvailable.USER32(0000000D), ref: 000C6B44
              • GetClipboardData.USER32(0000000D), ref: 000C6B4C
              • CloseClipboard.USER32 ref: 000C6B58
              • GlobalLock.KERNEL32(00000000), ref: 000C6B74
              • CloseClipboard.USER32 ref: 000C6B7E
              • GlobalUnlock.KERNEL32(00000000), ref: 000C6B93
              • IsClipboardFormatAvailable.USER32(00000001), ref: 000C6BA0
              • GetClipboardData.USER32(00000001), ref: 000C6BA8
              • GlobalLock.KERNEL32(00000000), ref: 000C6BB5
              • GlobalUnlock.KERNEL32(00000000), ref: 000C6BE9
              • CloseClipboard.USER32 ref: 000C6CF6
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
              • String ID:
              • API String ID: 3222323430-0
              • Opcode ID: 76ee600cc5e09ff1bf7086d2ebff23ac958e982b450ff95c87180bb8ccef04d1
              • Instruction ID: fe951020e236ea8878f53ac28cb925b75d21f4fc6b3c26efe07c37a25f4c851a
              • Opcode Fuzzy Hash: 76ee600cc5e09ff1bf7086d2ebff23ac958e982b450ff95c87180bb8ccef04d1
              • Instruction Fuzzy Hash: 05519171204201ABE320EF64DD86FBE77A9EF94B11F00402EF58AD61D1DF75E905DA62
              Function 000BF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 000BF62B
              • FindClose.KERNEL32(00000000), ref: 000BF67F
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000BF6A4
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000BF6BB
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 000BF6E2
              • __swprintf.LIBCMT ref: 000BF72E
              • __swprintf.LIBCMT ref: 000BF767
              • __swprintf.LIBCMT ref: 000BF7BB
                • Part of subcall function 0009172B: __woutput_l.LIBCMT ref: 00091784
              • __swprintf.LIBCMT ref: 000BF809
              • __swprintf.LIBCMT ref: 000BF858
              • __swprintf.LIBCMT ref: 000BF8A7
              • __swprintf.LIBCMT ref: 000BF8F6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
              • API String ID: 835046349-2428617273
              • Opcode ID: db7ee8175aecba161ab58b8f6f9ee75f70bbce5bf0f4bc4e2813e632d3095a0c
              • Instruction ID: 2a6414951c66868064ce0f58869644c3a92bf0c454d35bed88f24a9beac0aaa4
              • Opcode Fuzzy Hash: db7ee8175aecba161ab58b8f6f9ee75f70bbce5bf0f4bc4e2813e632d3095a0c
              • Instruction Fuzzy Hash: AFA10AB2508345ABD310EBA4C885DFFB7ECBF98704F44482EF59582152EB34D949DB62
              Function 000C1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 000C1B50
              • _wcscmp.LIBCMT ref: 000C1B65
              • _wcscmp.LIBCMT ref: 000C1B7C
              • GetFileAttributesW.KERNEL32(?), ref: 000C1B8E
              • SetFileAttributesW.KERNEL32(?,?), ref: 000C1BA8
              • FindNextFileW.KERNEL32(00000000,?), ref: 000C1BC0
              • FindClose.KERNEL32(00000000), ref: 000C1BCB
              • FindFirstFileW.KERNEL32(*.*,?), ref: 000C1BE7
              • _wcscmp.LIBCMT ref: 000C1C0E
              • _wcscmp.LIBCMT ref: 000C1C25
              • SetCurrentDirectoryW.KERNEL32(?), ref: 000C1C37
              • SetCurrentDirectoryW.KERNEL32(001239FC), ref: 000C1C55
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 000C1C5F
              • FindClose.KERNEL32(00000000), ref: 000C1C6C
              • FindClose.KERNEL32(00000000), ref: 000C1C7C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
              • String ID: *.*
              • API String ID: 1803514871-438819550
              • Opcode ID: 346273cd12191dbc51a4ee596b10f8205ea31078aff1668e66e463f0d1d5ef69
              • Instruction ID: 5ef336d808b87c76565dbc741a21e707514cc63072168a93486832077acb8b0e
              • Opcode Fuzzy Hash: 346273cd12191dbc51a4ee596b10f8205ea31078aff1668e66e463f0d1d5ef69
              • Instruction Fuzzy Hash: 7031A232600619BBDF50ABA0AC49FEE77ADAF06320F10015AF811D2092EB74DE95DE64
              Function 000C1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 000C1CAB
              • _wcscmp.LIBCMT ref: 000C1CC0
              • _wcscmp.LIBCMT ref: 000C1CD7
                • Part of subcall function 000B6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 000B6BEF
              • FindNextFileW.KERNEL32(00000000,?), ref: 000C1D06
              • FindClose.KERNEL32(00000000), ref: 000C1D11
              • FindFirstFileW.KERNEL32(*.*,?), ref: 000C1D2D
              • _wcscmp.LIBCMT ref: 000C1D54
              • _wcscmp.LIBCMT ref: 000C1D6B
              • SetCurrentDirectoryW.KERNEL32(?), ref: 000C1D7D
              • SetCurrentDirectoryW.KERNEL32(001239FC), ref: 000C1D9B
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 000C1DA5
              • FindClose.KERNEL32(00000000), ref: 000C1DB2
              • FindClose.KERNEL32(00000000), ref: 000C1DC2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
              • String ID: *.*
              • API String ID: 1824444939-438819550
              • Opcode ID: f9ca4788baba738a5d477499811f8c9d84b2feac033d4c35fb0bd6b88ff5336a
              • Instruction ID: 8174ec60edd4fe58fe9be5772557c3307471f4b39312d67b431d783380ffa005
              • Opcode Fuzzy Hash: f9ca4788baba738a5d477499811f8c9d84b2feac033d4c35fb0bd6b88ff5336a
              • Instruction Fuzzy Hash: 6C31F63260061ABBDF50AFA0EC49FEE37AD9F06324F11055AF811A3092DB74DB85DA60
              Function 00077D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: _memset
              • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
              • API String ID: 2102423945-2023335898
              • Opcode ID: 646426a4496798ce5f7eadc79e91f481e9277efbffb7d2c8227153fa6c3409a7
              • Instruction ID: ca56c3bbcbfa188088c1fec0646162f735b673742dc4efbcad60126de0823f17
              • Opcode Fuzzy Hash: 646426a4496798ce5f7eadc79e91f481e9277efbffb7d2c8227153fa6c3409a7
              • Instruction Fuzzy Hash: ED82CF71D0425ADFCB24CF98C8806BDBBB1BF48354F25C1A9D859BB241E778AD81CB94
              Function 000C091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
              Download Yara Rule
              APIs
              • GetLocalTime.KERNEL32(?), ref: 000C09DF
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 000C09EF
              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000C09FB
              • __wsplitpath.LIBCMT ref: 000C0A59
              • _wcscat.LIBCMT ref: 000C0A71
              • _wcscat.LIBCMT ref: 000C0A83
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000C0A98
              • SetCurrentDirectoryW.KERNEL32(?), ref: 000C0AAC
              • SetCurrentDirectoryW.KERNEL32(?), ref: 000C0ADE
              • SetCurrentDirectoryW.KERNEL32(?), ref: 000C0AFF
              • _wcscpy.LIBCMT ref: 000C0B0B
              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 000C0B4A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
              • String ID: *.*
              • API String ID: 3566783562-438819550
              • Opcode ID: adefef7bee83e95aac47ac739be45ef85c8a19a2a0334ebb11bf8587ad9cb9db
              • Instruction ID: f6cb43bbc92f464f1c373ccc9201e90ad0f6676b300ecb3c0213d2901251f750
              • Opcode Fuzzy Hash: adefef7bee83e95aac47ac739be45ef85c8a19a2a0334ebb11bf8587ad9cb9db
              • Instruction Fuzzy Hash: 956136725043059FDB10EF60C885EAEB3E9FF89314F04891EF99987252DB35EA45CB92
              Function 000AA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000AABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 000AABD7
                • Part of subcall function 000AABBB: GetLastError.KERNEL32(?,000AA69F,?,?,?), ref: 000AABE1
                • Part of subcall function 000AABBB: GetProcessHeap.KERNEL32(00000008,?,?,000AA69F,?,?,?), ref: 000AABF0
                • Part of subcall function 000AABBB: HeapAlloc.KERNEL32(00000000,?,000AA69F,?,?,?), ref: 000AABF7
                • Part of subcall function 000AABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 000AAC0E
                • Part of subcall function 000AAC56: GetProcessHeap.KERNEL32(00000008,000AA6B5,00000000,00000000,?,000AA6B5,?), ref: 000AAC62
                • Part of subcall function 000AAC56: HeapAlloc.KERNEL32(00000000,?,000AA6B5,?), ref: 000AAC69
                • Part of subcall function 000AAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,000AA6B5,?), ref: 000AAC7A
              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000AA6D0
              • _memset.LIBCMT ref: 000AA6E5
              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000AA704
              • GetLengthSid.ADVAPI32(?), ref: 000AA715
              • GetAce.ADVAPI32(?,00000000,?), ref: 000AA752
              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000AA76E
              • GetLengthSid.ADVAPI32(?), ref: 000AA78B
              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 000AA79A
              • HeapAlloc.KERNEL32(00000000), ref: 000AA7A1
              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 000AA7C2
              • CopySid.ADVAPI32(00000000), ref: 000AA7C9
              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000AA7FA
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000AA820
              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 000AA834
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
              • String ID:
              • API String ID: 3996160137-0
              • Opcode ID: 74e189464e4beb6eb99e6fe071dd24e44d02fa9d6a835ebaf17d634fa52dd605
              • Instruction ID: 6beba8a511369f9ed19ab26cf5eae82eeb4a35a468f66d384f444ceadac89ae4
              • Opcode Fuzzy Hash: 74e189464e4beb6eb99e6fe071dd24e44d02fa9d6a835ebaf17d634fa52dd605
              • Instruction Fuzzy Hash: DD512E71A0020AAFDF10DF95DC45EEEBBB9FF0A300F04812AF915A7291DB399905DB61
              Function 00076F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID:
              • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
              • API String ID: 0-4052911093
              • Opcode ID: 6a8b6427521e4c104ddfaa079f3fff698b7c5e388810d0fbad5d1b6d7a30ac30
              • Instruction ID: c5257b67d16a3d69a68ea76772bdbbb987e42751dd5c519fff39289e18495c22
              • Opcode Fuzzy Hash: 6a8b6427521e4c104ddfaa079f3fff698b7c5e388810d0fbad5d1b6d7a30ac30
              • Instruction Fuzzy Hash: 4B728F71E042199BDB64CF58C8807FEB7F5BF08310F24816AE919EB681DB749E81DB94
              Function 000B63F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000B6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000B5FA6,?), ref: 000B6ED8
                • Part of subcall function 000B72CB: GetFileAttributesW.KERNEL32(?,000B6019), ref: 000B72CC
              • _wcscat.LIBCMT ref: 000B6441
              • __wsplitpath.LIBCMT ref: 000B645F
              • FindFirstFileW.KERNEL32(?,?), ref: 000B6474
              • _wcscpy.LIBCMT ref: 000B64A3
              • _wcscat.LIBCMT ref: 000B64B8
              • _wcscat.LIBCMT ref: 000B64CA
              • DeleteFileW.KERNEL32(?), ref: 000B64DA
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 000B64EB
              • FindClose.KERNEL32(00000000), ref: 000B6506
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
              • String ID: \*.*
              • API String ID: 2643075503-1173974218
              • Opcode ID: a35eedeb3e02a0d9c4d6dfb05b56ce316033dcb77b64273b81494d17fe8902e8
              • Instruction ID: a00146aae47c3160b232b8f7c20cc1ff074994dad390ff9b8aaf2ad2a0441bd8
              • Opcode Fuzzy Hash: a35eedeb3e02a0d9c4d6dfb05b56ce316033dcb77b64273b81494d17fe8902e8
              • Instruction Fuzzy Hash: 333164B2408384AEC721DBA488859EF77DCAF55310F44092AF6D9C3142EB3AD509D7A7
              Function 000D31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000D3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000D2BB5,?,?), ref: 000D3C1D
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000D328E
                • Part of subcall function 0007936C: __swprintf.LIBCMT ref: 000793AB
                • Part of subcall function 0007936C: __itow.LIBCMT ref: 000793DF
              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 000D332D
              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 000D33C5
              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 000D3604
              • RegCloseKey.ADVAPI32(00000000), ref: 000D3611
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
              • String ID:
              • API String ID: 1240663315-0
              • Opcode ID: 2087d80a80bacd10dd8057cdc3c1642a3ec5f198b9ed54618c58fb5a360b6998
              • Instruction ID: 7424a357ff7f07c0ea24e6660598880fdad0e209fa2656c3c2424d2d2382b897
              • Opcode Fuzzy Hash: 2087d80a80bacd10dd8057cdc3c1642a3ec5f198b9ed54618c58fb5a360b6998
              • Instruction Fuzzy Hash: 37E13B71604300AFCB14DF29C995E6ABBE9FF89710B04856EF44AD7362DB34EA05CB52
              Function 000B2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 000B2B5F
              • GetAsyncKeyState.USER32(000000A0), ref: 000B2BE0
              • GetKeyState.USER32(000000A0), ref: 000B2BFB
              • GetAsyncKeyState.USER32(000000A1), ref: 000B2C15
              • GetKeyState.USER32(000000A1), ref: 000B2C2A
              • GetAsyncKeyState.USER32(00000011), ref: 000B2C42
              • GetKeyState.USER32(00000011), ref: 000B2C54
              • GetAsyncKeyState.USER32(00000012), ref: 000B2C6C
              • GetKeyState.USER32(00000012), ref: 000B2C7E
              • GetAsyncKeyState.USER32(0000005B), ref: 000B2C96
              • GetKeyState.USER32(0000005B), ref: 000B2CA8
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: 6a884d059cf64b9109464e9dd891b014274e7ed7bfae8bca09d9b03df8744494
              • Instruction ID: fbc653607d9eea3bc8ca6137fd07f56eb0e6ee2fa430837a0dbe776fdaf964ef
              • Opcode Fuzzy Hash: 6a884d059cf64b9109464e9dd891b014274e7ed7bfae8bca09d9b03df8744494
              • Instruction Fuzzy Hash: 4841F730504BC96DFFB19B6088097F9BFE16F11344F04805AD5C65B6C2DFA899C8C7A2
              Function 000C6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
              • String ID:
              • API String ID: 1737998785-0
              • Opcode ID: 86da09c38047942db7e3e46efc7a140dfaadcc9aaa04440220e43f14a8a8dcf8
              • Instruction ID: 55b0dd86eea077835f3c8fa8ebf740bfdfd4c2975525f85b21a742c0ac107a2f
              • Opcode Fuzzy Hash: 86da09c38047942db7e3e46efc7a140dfaadcc9aaa04440220e43f14a8a8dcf8
              • Instruction Fuzzy Hash: 20217A31600210AFEB21AF64DC49F7D77AAEF44711F00801AF94ADB2A2CB39E901DB95
              Function 000CC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000A9ABF: CLSIDFromProgID.OLE32 ref: 000A9ADC
                • Part of subcall function 000A9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 000A9AF7
                • Part of subcall function 000A9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 000A9B05
                • Part of subcall function 000A9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 000A9B15
              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 000CC235
              • _memset.LIBCMT ref: 000CC242
              • _memset.LIBCMT ref: 000CC360
              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 000CC38C
              • CoTaskMemFree.OLE32(?), ref: 000CC397
              Strings
              • NULL Pointer assignment, xrefs: 000CC3E5
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
              • String ID: NULL Pointer assignment
              • API String ID: 1300414916-2785691316
              • Opcode ID: 5ecef7fd2961c1361a7c01f7153779315a2a5442651202a07b0a26c1fcbb2cdc
              • Instruction ID: 4c869c2f0dd3e6ce39460387c2a1d50c242fc5dd1e327b84e0edfd535d036a4a
              • Opcode Fuzzy Hash: 5ecef7fd2961c1361a7c01f7153779315a2a5442651202a07b0a26c1fcbb2cdc
              • Instruction Fuzzy Hash: 14913B71D00218ABEB10DF94DC91FEEBBB9EF09710F10815AF519A7282EB715A45CFA0
              Function 000B79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000AB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000AB180
                • Part of subcall function 000AB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000AB1AD
                • Part of subcall function 000AB134: GetLastError.KERNEL32 ref: 000AB1BA
              • ExitWindowsEx.USER32(?,00000000), ref: 000B7A0F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
              • String ID: $@$SeShutdownPrivilege
              • API String ID: 2234035333-194228
              • Opcode ID: 0781ed3872eed6d586708bb4f18fc7a1020cb694077fb7addb4a7b248d68ecb2
              • Instruction ID: 78fcdcef148b2f96320e41b7eb35460eb21412e84ba372b5c936543475455bc2
              • Opcode Fuzzy Hash: 0781ed3872eed6d586708bb4f18fc7a1020cb694077fb7addb4a7b248d68ecb2
              • Instruction Fuzzy Hash: 8801F7717582116AF7F81674DC4ABFF72989BC1740F140425F957F20C3DAA49E0091B6
              Function 000C8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
              Download Yara Rule
              APIs
              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 000C8CA8
              • WSAGetLastError.WSOCK32(00000000), ref: 000C8CB7
              • bind.WSOCK32(00000000,?,00000010), ref: 000C8CD3
              • listen.WSOCK32(00000000,00000005), ref: 000C8CE2
              • WSAGetLastError.WSOCK32(00000000), ref: 000C8CFC
              • closesocket.WSOCK32(00000000,00000000), ref: 000C8D10
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ErrorLast$bindclosesocketlistensocket
              • String ID:
              • API String ID: 1279440585-0
              • Opcode ID: ced41b9b14971fa86a870544d1f51a0684a4352260e6bee468348492aeb270e8
              • Instruction ID: 0d75c85e1307c6c2c31ee28ebdbad11e1f8ca8ed5da1e6ff97d9b580b084d3d8
              • Opcode Fuzzy Hash: ced41b9b14971fa86a870544d1f51a0684a4352260e6bee468348492aeb270e8
              • Instruction Fuzzy Hash: EF21A0316002019FDB14AF68C985FBEB7EAEF48324F108159F956AB3D2CB34AD42DB55
              Function 000B6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 000B6554
              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 000B6564
              • Process32NextW.KERNEL32(00000000,0000022C), ref: 000B6583
              • __wsplitpath.LIBCMT ref: 000B65A7
              • _wcscat.LIBCMT ref: 000B65BA
              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 000B65F9
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
              • String ID:
              • API String ID: 1605983538-0
              • Opcode ID: f81f875b8b3eeb0d5f329bce221ed47d4367b58fc5f880bece0375ae2a7e1125
              • Instruction ID: a10ef2fae53b0ebf9738cc4d448cbb4cbd23468d8afcc6944005204dcb8b6172
              • Opcode Fuzzy Hash: f81f875b8b3eeb0d5f329bce221ed47d4367b58fc5f880bece0375ae2a7e1125
              • Instruction Fuzzy Hash: 15216571900219ABDB20ABA4CC88FEDB7FDAB44300F5004A5F545E7141E7759F95DB60
              Function 000C923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000CA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 000CA84E
              • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 000C9296
              • WSAGetLastError.WSOCK32(00000000,00000000), ref: 000C92B9
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ErrorLastinet_addrsocket
              • String ID:
              • API String ID: 4170576061-0
              • Opcode ID: 2f37961211dd3f5a434a9627fd982318a9115b0105a49551e61d63f9952150b1
              • Instruction ID: 71cd31c348cf2f14451ad02a68e11862c1ebb5a4d07a50f559718e0a0c6e3683
              • Opcode Fuzzy Hash: 2f37961211dd3f5a434a9627fd982318a9115b0105a49551e61d63f9952150b1
              • Instruction Fuzzy Hash: 7241C370600200AFEB14BB68C846EBE77EDEF44724F14844DF956AB383DB749E028B91
              Function 000BEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 000BEB8A
              • _wcscmp.LIBCMT ref: 000BEBBA
              • _wcscmp.LIBCMT ref: 000BEBCF
              • FindNextFileW.KERNEL32(00000000,?), ref: 000BEBE0
              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 000BEC0E
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Find$File_wcscmp$CloseFirstNext
              • String ID:
              • API String ID: 2387731787-0
              • Opcode ID: 4388d1105eec3fd42f34456cbcb99aaa6e000e20a8f0dcedc9f35fe3172927ef
              • Instruction ID: 37ccaa2dbb1583029d84d9c4c0bdc4a3f9ceb224a39c5e9552217f9b164c0f49
              • Opcode Fuzzy Hash: 4388d1105eec3fd42f34456cbcb99aaa6e000e20a8f0dcedc9f35fe3172927ef
              • Instruction Fuzzy Hash: D3419B35600702DFDB18DF28C491EEAB7E4FF49324F10456EE95A8B3A2DB71A941CB91
              Function 000D8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$EnabledForegroundIconicVisibleZoomed
              • String ID:
              • API String ID: 292994002-0
              • Opcode ID: 00dd6e27a1d9ad6a397610344fbb43cb03534eb79173faefe2a371b3ac847eb5
              • Instruction ID: 26016d562f4c439d8db2380c9b0ed0380873575badbc28d85ef41b81f0653796
              • Opcode Fuzzy Hash: 00dd6e27a1d9ad6a397610344fbb43cb03534eb79173faefe2a371b3ac847eb5
              • Instruction Fuzzy Hash: F3119D35700211ABE7212F269C44EAFBBDDEF54760B05842AF849D7342CF34A90687A4
              Function 00079B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID:
              • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
              • API String ID: 0-1546025612
              • Opcode ID: b364d1065e3c09738e2a9f7533d9ad3d58695745c3c4724e2a2e50838186b3ba
              • Instruction ID: d4c774063bbb366672ac6ec84bc77a185b2d3243a41f08bd09ed06b2dea65013
              • Opcode Fuzzy Hash: b364d1065e3c09738e2a9f7533d9ad3d58695745c3c4724e2a2e50838186b3ba
              • Instruction Fuzzy Hash: 0F929C71E0021ACBEF74CF58C841BBDB7B1BB94310F1485AAE91AA7680D7389D81DF95
              Function 0008E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,0008E014,76F90AE0,0008DEF1,0010DC38,?,?), ref: 0008E02C
              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0008E03E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetNativeSystemInfo$kernel32.dll
              • API String ID: 2574300362-192647395
              • Opcode ID: 6a056578982be6eb8450feb12ee474fdb5a9c1440ca7d8b3b76e02acaf700a02
              • Instruction ID: 90986b2cb95ff3a7f11eb34cad1ac6e43c116a9ad39d7b87530a47e02f5eb20a
              • Opcode Fuzzy Hash: 6a056578982be6eb8450feb12ee474fdb5a9c1440ca7d8b3b76e02acaf700a02
              • Instruction Fuzzy Hash: F7D0A730400722BFD7315F60FC0862676D5BF00308F19481AE8C1D2590D7B8C8C0EB50
              Function 000B13CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 000B13DC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: lstrlen
              • String ID: ($|
              • API String ID: 1659193697-1631851259
              • Opcode ID: bf7edcc6b4ce686e4c1369b42f16039d114c3ed20d2ae30489b10f8b770371a3
              • Instruction ID: c02f929642acd69ba6e1a51b04da3e9e79a7eee0da9805399f05b3b7753cff81
              • Opcode Fuzzy Hash: bf7edcc6b4ce686e4c1369b42f16039d114c3ed20d2ae30489b10f8b770371a3
              • Instruction Fuzzy Hash: EF321575A00605DFC728CF69C490AAAB7F0FF48320B55C56EE59ADB3A2E770E941CB44
              Function 0008B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008B34E: GetWindowLongW.USER32(?,000000EB), ref: 0008B35F
              • DefDlgProcW.USER32(?,?,?,?,?), ref: 0008B22F
                • Part of subcall function 0008B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0008B5A5
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Proc$LongWindow
              • String ID:
              • API String ID: 2749884682-0
              • Opcode ID: 469fb0c1d74a8ee25c1c08bc86be899356ee66c4c56d46ccecae9cb9e1c1bee9
              • Instruction ID: e63bcd5124c0ecea91c821a7f38c801e5b7938968a290a464563088debf1d3bc
              • Opcode Fuzzy Hash: 469fb0c1d74a8ee25c1c08bc86be899356ee66c4c56d46ccecae9cb9e1c1bee9
              • Instruction Fuzzy Hash: 73A157B0114189BEEB787B2A9C89EBF39DCFB46340F54411AF482E66D2DB249D01D376
              Function 000C4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
              Download Yara Rule
              APIs
              • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,000C43BF,00000000), ref: 000C4FA6
              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 000C4FD2
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Internet$AvailableDataFileQueryRead
              • String ID:
              • API String ID: 599397726-0
              • Opcode ID: 3994ce6c3ee3d712c8737d3e338792babf8eb545566d3096e2197f0ac28737e7
              • Instruction ID: a0c7e3b497be1c6df5c89b94ea6e8e79bdb52268b2e773ed1ac27a54a264010d
              • Opcode Fuzzy Hash: 3994ce6c3ee3d712c8737d3e338792babf8eb545566d3096e2197f0ac28737e7
              • Instruction Fuzzy Hash: 5941D171504609BFEB209F90CC85FBFB7FCFB40715F10002EF605A6181EA71AE819AA0
              Function 000BE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 000BE20D
              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 000BE267
              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 000BE2B4
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ErrorMode$DiskFreeSpace
              • String ID:
              • API String ID: 1682464887-0
              • Opcode ID: d6b7dae60953184257ddcc03e5fa04806b4fa78d77b6d96cda7c1f176b860e66
              • Instruction ID: a8c427445ff03ff96eee36ff2651bd13d412cf23dfe144c5b225795d8240a5b5
              • Opcode Fuzzy Hash: d6b7dae60953184257ddcc03e5fa04806b4fa78d77b6d96cda7c1f176b860e66
              • Instruction Fuzzy Hash: 3C216D35A00118EFDB00EFA5D894EEDBBF8FF48310F0484AAE945A7352DB359915CB50
              Function 000AB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008F4EA: std::exception::exception.LIBCMT ref: 0008F51E
                • Part of subcall function 0008F4EA: __CxxThrowException@8.LIBCMT ref: 0008F533
              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000AB180
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000AB1AD
              • GetLastError.KERNEL32 ref: 000AB1BA
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
              • String ID:
              • API String ID: 1922334811-0
              • Opcode ID: 976baefdf6f981dce36f8d3f78120d16122d7d0f40c369e86e14aca971b24238
              • Instruction ID: af3e38a57134545d2f36e0baaac4d85760aa6b499dd9690dc3279a8fa248dd93
              • Opcode Fuzzy Hash: 976baefdf6f981dce36f8d3f78120d16122d7d0f40c369e86e14aca971b24238
              • Instruction Fuzzy Hash: A911BFB1400205AFE718AFA4DC85D6BB7ADFB45310B20852EE09693641DB74FC41CB60
              Function 000B6606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000B6623
              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 000B6664
              • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000B666F
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CloseControlCreateDeviceFileHandle
              • String ID:
              • API String ID: 33631002-0
              • Opcode ID: e6274a513fa81c3bb6121051feb5815d9065089893d7bd2c9bfb30d3b1661225
              • Instruction ID: f4b1bcc59640db0c0c94646bdcf1eadfe4f3572e3b63bd5a25e23e94dd41b2df
              • Opcode Fuzzy Hash: e6274a513fa81c3bb6121051feb5815d9065089893d7bd2c9bfb30d3b1661225
              • Instruction Fuzzy Hash: E3113C71E01228BFEB108FA89C44BEEBBFCEB45B10F104152F900E7290D2B55A019BA5
              Function 000B71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
              Download Yara Rule
              APIs
              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 000B7223
              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 000B723A
              • FreeSid.ADVAPI32(?), ref: 000B724A
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: AllocateCheckFreeInitializeMembershipToken
              • String ID:
              • API String ID: 3429775523-0
              • Opcode ID: 6b56a887d5125eb116e2cf643fa65f40b5fde9ef7bc2383b54b0e3ff07973d3d
              • Instruction ID: 215627089569e7f93a0b3a765f1f92203b3ae3d71c3498eebd4f7fa20f9514ca
              • Opcode Fuzzy Hash: 6b56a887d5125eb116e2cf643fa65f40b5fde9ef7bc2383b54b0e3ff07973d3d
              • Instruction Fuzzy Hash: BAF01275904209BFDF04DFE4DD89EFDBBB9EF08301F104469A502E2591E6749654DB10
              Function 000BF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 000BF599
              • FindClose.KERNEL32(00000000), ref: 000BF5C9
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Find$CloseFileFirst
              • String ID:
              • API String ID: 2295610775-0
              • Opcode ID: aec7b50064fbbcfeb607e093b454a0ac95d7bc485fd930ac236a70dd50103555
              • Instruction ID: d6e09b0ca5f40d6ae104066825425e7b31b909802ef1f6ae08c92be11dba3ea1
              • Opcode Fuzzy Hash: aec7b50064fbbcfeb607e093b454a0ac95d7bc485fd930ac236a70dd50103555
              • Instruction Fuzzy Hash: 0C116D726006019FD710EF28D845ABEB7E9FF84324F00896EF9A9D7291DB34A9018B85
              Function 000BCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,000CBE6A,?,?,00000000,?), ref: 000BCEA7
              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,000CBE6A,?,?,00000000,?), ref: 000BCEB9
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ErrorFormatLastMessage
              • String ID:
              • API String ID: 3479602957-0
              • Opcode ID: e4b6ddacf5d91962ef834e39a006ee4ef2c6113d67d4fe22f6c4ecff7701641f
              • Instruction ID: d49abdd8a5a26166d70a63306a006a343cb2fba2057ae97944833888e5583860
              • Opcode Fuzzy Hash: e4b6ddacf5d91962ef834e39a006ee4ef2c6113d67d4fe22f6c4ecff7701641f
              • Instruction Fuzzy Hash: 86F08231500229EBEB209BA4DC89FFA776DBF08351F008166F919D6181D634DA40DBA0
              Function 000B411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
              Download Yara Rule
              APIs
              • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 000B4153
              • keybd_event.USER32(?,753DC0D0,?,00000000), ref: 000B4166
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: InputSendkeybd_event
              • String ID:
              • API String ID: 3536248340-0
              • Opcode ID: 094cc11687c35319e7040970ca7622702ee45195e190d9a78b7fa02908374fbe
              • Instruction ID: 527fdd2fde3935c43174bde52688cd4f0e1c50ba85a12904d01fdbc724564bc2
              • Opcode Fuzzy Hash: 094cc11687c35319e7040970ca7622702ee45195e190d9a78b7fa02908374fbe
              • Instruction Fuzzy Hash: 9DF0677080424DAFEB058FA4C805BFE7BB1EF00305F00840AF966A6192D7798616EFA0
              Function 000AAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000AACC0), ref: 000AAB99
              • CloseHandle.KERNEL32(?,?,000AACC0), ref: 000AABAB
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: AdjustCloseHandlePrivilegesToken
              • String ID:
              • API String ID: 81990902-0
              • Opcode ID: 8606b5a3aa193ac34a378a4afc58735bfab2b9fb5ad41713014acfe2067570be
              • Instruction ID: 5f05f302666f72ff353f89b00f81c246e02e102ba2503b87c3a5614597aeb52e
              • Opcode Fuzzy Hash: 8606b5a3aa193ac34a378a4afc58735bfab2b9fb5ad41713014acfe2067570be
              • Instruction Fuzzy Hash: 33E0E671010511AFF7252F64EC09DB777EAEF043207108429F59981871DB625D90DB50
              Function 000981AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00096DB3,-0000031A,?,?,00000001), ref: 000981B1
              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 000981BA
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 04e033098af42f283775b1693e4873ab275341d359148cb543c1359be2fc55d0
              • Instruction ID: 06c1da9bcf9a8cd0c17f6da8f96b4434b5a12ecb5848f64eefe051cf007511d2
              • Opcode Fuzzy Hash: 04e033098af42f283775b1693e4873ab275341d359148cb543c1359be2fc55d0
              • Instruction Fuzzy Hash: 92B09272048608ABEB002BA1EC09B687F6AEB08652F004012F70D448A18B765610FA92
              Function 000777B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 0d996b64848c38582a55a18d2b1353c46baa035165c603d57ebc76334c9e2687
              • Instruction ID: bd0e2e4f612b888046f690435d4bcf6c3c7c9ea28c4498e819e83278e285e4b0
              • Opcode Fuzzy Hash: 0d996b64848c38582a55a18d2b1353c46baa035165c603d57ebc76334c9e2687
              • Instruction Fuzzy Hash: 10A25770E04219DFDB64CF58C8806ADBBF1BF48350F2581A9E959AB391D7349E81DF84
              Function 00083B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Exception@8Throwstd::exception::exception
              • String ID: @
              • API String ID: 3728558374-2766056989
              • Opcode ID: 09d579d2249e108649d6a65e3da9ca0e00757b096baa01e74f097169a1d820dc
              • Instruction ID: be815800ab92cbbacd625c1a16015b4b50620e01f1f691c2634a852c1adb9fd4
              • Opcode Fuzzy Hash: 09d579d2249e108649d6a65e3da9ca0e00757b096baa01e74f097169a1d820dc
              • Instruction Fuzzy Hash: 5472B070D04209DFDF24EF94C481AEEB7B5FF48700F14806AE989AB292D775AE45CB91
              Function 0009D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 20429a22de5f92f814b341092324e6b0df992ed03f68b9a4a963a8bfe10f2bce
              • Instruction ID: adf56c71800df1d6f37fbc7757a6a4de315cfba4681848715444be786b4c8bb3
              • Opcode Fuzzy Hash: 20429a22de5f92f814b341092324e6b0df992ed03f68b9a4a963a8bfe10f2bce
              • Instruction Fuzzy Hash: 58323422D69F014DDB639634C926336A289AFB73C4F15D737E859B5EAAEB38C4C35100
              Function 000796C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: __itow__swprintf
              • String ID:
              • API String ID: 674341424-0
              • Opcode ID: 01cbed8e328d93ea17276a58679f088edca7878d85e520db7728e4eaba9d5002
              • Instruction ID: 69da0936f017c46b0878c730b152cf5a0205e864f6bec0092e8f88c932721822
              • Opcode Fuzzy Hash: 01cbed8e328d93ea17276a58679f088edca7878d85e520db7728e4eaba9d5002
              • Instruction Fuzzy Hash: 1522A971A083419FE724DF24C881BAFB7E4BF84310F10891DF89A97292DB75E945CB86
              Function 000A038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dce0f3b6825207ae9fdfe43ce3a3c991f5eae12149312c8f9b07bd6ac8fee629
              • Instruction ID: ec86d393f2cdb165512dbc234b6363025bee1643b4ec70e942460990328fb6b0
              • Opcode Fuzzy Hash: dce0f3b6825207ae9fdfe43ce3a3c991f5eae12149312c8f9b07bd6ac8fee629
              • Instruction Fuzzy Hash: A1B1E020D2AF414DD3239639883533BB65CAFBB2D5B91D71BFC6A74D26EB6181C34580
              Function 000BB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
              Download Yara Rule
              APIs
              • __time64.LIBCMT ref: 000BB6DF
                • Part of subcall function 0009344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,000BBDC3,00000000,?,?,?,?,000BBF70,00000000,?), ref: 00093453
                • Part of subcall function 0009344A: __aulldiv.LIBCMT ref: 00093473
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Time$FileSystem__aulldiv__time64
              • String ID:
              • API String ID: 2893107130-0
              • Opcode ID: b12993a6cb58f4e852a51bbd59d8493e9afa7faa5e64301ddd0a82e3b16c52b9
              • Instruction ID: c9cff1bd17139db9933a1d70271e8921c7eb80727921c5cdbd295c2c05488369
              • Opcode Fuzzy Hash: b12993a6cb58f4e852a51bbd59d8493e9afa7faa5e64301ddd0a82e3b16c52b9
              • Instruction Fuzzy Hash: CE218176634510CBC729CF38C881A92B7E1EB95311B248E7DE4E5CB2C1CB78BA45DB58
              Function 000C6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
              Download Yara Rule
              APIs
              • BlockInput.USER32(00000001), ref: 000C6ACA
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: BlockInput
              • String ID:
              • API String ID: 3456056419-0
              • Opcode ID: 7f7eedcd8b3e06533b7c2415630e87971da740386082672416698fe74dead8fe
              • Instruction ID: 43e9b0c5d2017cdf11f4f3baef3a98b3454d37e02afa008e099b260c7580722a
              • Opcode Fuzzy Hash: 7f7eedcd8b3e06533b7c2415630e87971da740386082672416698fe74dead8fe
              • Instruction Fuzzy Hash: 40E0D835200200AFC710EF59D404E9AB7ECEF74351F04C41BF945D7251CAB1F8048B90
              Function 000B74BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 000B74DE
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: mouse_event
              • String ID:
              • API String ID: 2434400541-0
              • Opcode ID: f1dada9c246b1a326737be82c397172f3fb92a67ea6fe23afd26c9d8e22d4884
              • Instruction ID: 737fc2c679a9b6057dc24fdc0e867bd2ce06c7e0796580b4c9db4abc864b8cea
              • Opcode Fuzzy Hash: f1dada9c246b1a326737be82c397172f3fb92a67ea6fe23afd26c9d8e22d4884
              • Instruction Fuzzy Hash: F6D05EA012C70538FC7907248C0FFFA0948F3807C3F808199B18AC94C2BB805C05A032
              Function 000AB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
              Download Yara Rule
              APIs
              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,000AAD3E), ref: 000AB124
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: LogonUser
              • String ID:
              • API String ID: 1244722697-0
              • Opcode ID: a031aa6a89cf4b0bb71f87ec4a4c500a8bdd47d3013658f73dc34a486511e9e8
              • Instruction ID: f46a2e0a08ec9f3130cab5719ce0d5b35f3deb3e9da9529f0a0432813cd79621
              • Opcode Fuzzy Hash: a031aa6a89cf4b0bb71f87ec4a4c500a8bdd47d3013658f73dc34a486511e9e8
              • Instruction Fuzzy Hash: 89D05E320A460EAEEF024FA4DC02EBE3F6AEB04700F408111FA11C50A0C675D531EB50
              Function 000EB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: NameUser
              • String ID:
              • API String ID: 2645101109-0
              • Opcode ID: 1a04d1ae16aa13779319c9add90a61677302f84bd34e4bba480bab77ae6ec148
              • Instruction ID: 59ec5cd437b8fa8f6340181dc600a42be86d6d1d3c3b0c81fe6faad326909cde
              • Opcode Fuzzy Hash: 1a04d1ae16aa13779319c9add90a61677302f84bd34e4bba480bab77ae6ec148
              • Instruction Fuzzy Hash: 36C04CB1400149DFD751CBC0C944AEEB7BCAB08301F2040929105F1110DB749B45DB72
              Function 00098189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0009818F
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: c6f8c243f1f0f5145a7162d2d951853ac77a2abb4e1dc1f330bf9d21fbdf18fe
              • Instruction ID: 08aa0a18da54e403e6517dd02c7a432f0f2c3cdf9b906302e8cbed1bde6f82e9
              • Opcode Fuzzy Hash: c6f8c243f1f0f5145a7162d2d951853ac77a2abb4e1dc1f330bf9d21fbdf18fe
              • Instruction Fuzzy Hash: 54A0223200020CFBCF002F82FC088A83F2EFB002A0B000022FA0C00830CB33AA20FAC2
              Function 0007E3B0 Relevance: .5, Instructions: 540COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 299680053f3ddfc32510cee4f2c359bc22bcde0da845dca910d818598ce1d1b8
              • Instruction ID: 0e8d1c9649acd82406595c858ed9e1e7fe28d5bac90d2dea15c92b968d815808
              • Opcode Fuzzy Hash: 299680053f3ddfc32510cee4f2c359bc22bcde0da845dca910d818598ce1d1b8
              • Instruction Fuzzy Hash: 7E229F70E052468FDB64DF58C440AAEB7F0FF18304F14C0A9D98EAB352E779A981CB95
              Function 000793F0 Relevance: .5, Instructions: 531COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b7db6edb7dccaba1a8accdff5981042ff0a4a5e2716787c39e66b1ea68c126ff
              • Instruction ID: bc6376b3600b245f745edeabd2e8d71d50cfc80f8f5e40c583992dd3014f2ed0
              • Opcode Fuzzy Hash: b7db6edb7dccaba1a8accdff5981042ff0a4a5e2716787c39e66b1ea68c126ff
              • Instruction Fuzzy Hash: 16126B70E00609AFDF14DFA5D985AEEB7F9FF48300F108529E44AE7251EB3AA911CB54
              Function 0007AF50 Relevance: .5, Instructions: 514COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Exception@8Throwstd::exception::exception
              • String ID:
              • API String ID: 3728558374-0
              • Opcode ID: 62e81d5ee5614e0d28d40a6d5881627ca084cddab6706c0537e21890c294893e
              • Instruction ID: 434a1d6391df1df4beca5a124ee4329c8a7932aca0fecaea19ffa1b935bb4bf2
              • Opcode Fuzzy Hash: 62e81d5ee5614e0d28d40a6d5881627ca084cddab6706c0537e21890c294893e
              • Instruction Fuzzy Hash: 06028E70E00109EFDB14DF65D981AAEBBB9FF44300F14C069E80AEB256EB35DA51CB95
              Function 000902A4 Relevance: .3, Instructions: 345COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
              • Instruction ID: bd952f90532d6b0de54335d87234674f02036c9c813cb94b0593432b203ef5d9
              • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
              • Instruction Fuzzy Hash: E6C182722051930EDFAD463A847443EBAE16BB2BB131A076DD8F2CB5D5EF24C564E720
              Function 000906D9 Relevance: .3, Instructions: 341COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
              • Instruction ID: 7fab711a27b774ff2a240903fd41648d03a5e3762acf47b4b3bfe8d519163481
              • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
              • Instruction Fuzzy Hash: 06C18F722091930EDFAD463A847443EBAE16BB2BB131A176DD4F2CB4D5EF24D524E720
              Function 0008FA57 Relevance: .3, Instructions: 323COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction ID: 329c5172605620eaac2e5e05db34746035b2cf499d88ce4e003f93950a05e18b
              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction Fuzzy Hash: 6BC1AB722091930ADBAD563A847043EBAE16BB2BB131A077DD8F2CB5D5EF24C524D720
              Function 000CA2A9 Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 490filecommemoryCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(00000000), ref: 000CA2FE
              • DeleteObject.GDI32(00000000), ref: 000CA310
              • DestroyWindow.USER32 ref: 000CA31E
              • GetDesktopWindow.USER32 ref: 000CA338
              • GetWindowRect.USER32(00000000), ref: 000CA33F
              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 000CA480
              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 000CA490
              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000CA4D8
              • GetClientRect.USER32(00000000,?), ref: 000CA4E4
              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 000CA51E
              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000CA540
              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000CA553
              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000CA55E
              • GlobalLock.KERNEL32(00000000), ref: 000CA567
              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000CA576
              • GlobalUnlock.KERNEL32(00000000), ref: 000CA57F
              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000CA586
              • GlobalFree.KERNEL32(00000000), ref: 000CA591
              • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000CA5A3
              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,000FD9BC,00000000), ref: 000CA5B9
              • GlobalFree.KERNEL32(00000000), ref: 000CA5C9
              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 000CA5EF
              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 000CA60E
              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000CA630
              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000CA81D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
              • String ID: $@U=u$AutoIt v3$DISPLAY$static
              • API String ID: 2211948467-3613752883
              • Opcode ID: 87547948cb57548f9a94c927c9f005f675526afff403da332b26a42d0c8d90a5
              • Instruction ID: a43d18858d19cb09802904249aebfa28e2f774c04732e50473705628eaa681c6
              • Opcode Fuzzy Hash: 87547948cb57548f9a94c927c9f005f675526afff403da332b26a42d0c8d90a5
              • Instruction Fuzzy Hash: B8026E71A00218EFDB14DFA4CD89EAE7BB9FF49314F008159F905AB2A1D774AD41DB60
              Function 000DD285 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 260COMMON
              Download Yara Rule
              APIs
              • SetTextColor.GDI32(?,00000000), ref: 000DD2DB
              • GetSysColorBrush.USER32(0000000F), ref: 000DD30C
              • GetSysColor.USER32(0000000F), ref: 000DD318
              • SetBkColor.GDI32(?,000000FF), ref: 000DD332
              • SelectObject.GDI32(?,00000000), ref: 000DD341
              • InflateRect.USER32(?,000000FF,000000FF), ref: 000DD36C
              • GetSysColor.USER32(00000010), ref: 000DD374
              • CreateSolidBrush.GDI32(00000000), ref: 000DD37B
              • FrameRect.USER32(?,?,00000000), ref: 000DD38A
              • DeleteObject.GDI32(00000000), ref: 000DD391
              • InflateRect.USER32(?,000000FE,000000FE), ref: 000DD3DC
              • FillRect.USER32(?,?,00000000), ref: 000DD40E
              • GetWindowLongW.USER32(?,000000F0), ref: 000DD439
                • Part of subcall function 000DD575: GetSysColor.USER32(00000012), ref: 000DD5AE
                • Part of subcall function 000DD575: SetTextColor.GDI32(?,?), ref: 000DD5B2
                • Part of subcall function 000DD575: GetSysColorBrush.USER32(0000000F), ref: 000DD5C8
                • Part of subcall function 000DD575: GetSysColor.USER32(0000000F), ref: 000DD5D3
                • Part of subcall function 000DD575: GetSysColor.USER32(00000011), ref: 000DD5F0
                • Part of subcall function 000DD575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 000DD5FE
                • Part of subcall function 000DD575: SelectObject.GDI32(?,00000000), ref: 000DD60F
                • Part of subcall function 000DD575: SetBkColor.GDI32(?,00000000), ref: 000DD618
                • Part of subcall function 000DD575: SelectObject.GDI32(?,?), ref: 000DD625
                • Part of subcall function 000DD575: InflateRect.USER32(?,000000FF,000000FF), ref: 000DD644
                • Part of subcall function 000DD575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000DD65B
                • Part of subcall function 000DD575: GetWindowLongW.USER32(00000000,000000F0), ref: 000DD670
                • Part of subcall function 000DD575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000DD698
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
              • String ID: @U=u
              • API String ID: 3521893082-2594219639
              • Opcode ID: d177f31828f31a8ba61c799d7dab305349e5716f4c1f309cb900e3f1cee8eb35
              • Instruction ID: f8fe538cc0cbdf8a87992f21cd15b6ea6c29f5bbf00a3ea8f2829fe82281c17a
              • Opcode Fuzzy Hash: d177f31828f31a8ba61c799d7dab305349e5716f4c1f309cb900e3f1cee8eb35
              • Instruction Fuzzy Hash: 0F919E71008701BFE7109F64DC08E6B7BAAFF89725F100A1BF962961A0C774D944DB62
              Function 0008B8FD Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 491windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32 ref: 0008B98B
              • DeleteObject.GDI32(00000000), ref: 0008B9CD
              • DeleteObject.GDI32(00000000), ref: 0008B9D8
              • DestroyIcon.USER32(00000000), ref: 0008B9E3
              • DestroyWindow.USER32(00000000), ref: 0008B9EE
              • SendMessageW.USER32(?,00001308,?,00000000), ref: 000ED2AA
              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 000ED2E3
              • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 000ED711
                • Part of subcall function 0008B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0008B759,?,00000000,?,?,?,?,0008B72B,00000000,?), ref: 0008BA58
              • SendMessageW.USER32 ref: 000ED758
              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 000ED76F
              • ImageList_Destroy.COMCTL32(00000000), ref: 000ED785
              • ImageList_Destroy.COMCTL32(00000000), ref: 000ED790
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
              • String ID: 0$@U=u
              • API String ID: 464785882-975001249
              • Opcode ID: 8b40b10de8cff9f231186a4597f0ec50114a44ae8a6866f09cde45b137d5e0ad
              • Instruction ID: 72c76f33e18e272340b524fbc7dfaf8916642c29f6bb1c935cf6b58852966cf4
              • Opcode Fuzzy Hash: 8b40b10de8cff9f231186a4597f0ec50114a44ae8a6866f09cde45b137d5e0ad
              • Instruction Fuzzy Hash: 7712AD70204281DFDB64DF25C884BA9BBE1FF45304F18456AE9C9EB6A2CB31EC41DB91
              Function 000DD575 Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 186windowCOMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000012), ref: 000DD5AE
              • SetTextColor.GDI32(?,?), ref: 000DD5B2
              • GetSysColorBrush.USER32(0000000F), ref: 000DD5C8
              • GetSysColor.USER32(0000000F), ref: 000DD5D3
              • CreateSolidBrush.GDI32(?), ref: 000DD5D8
              • GetSysColor.USER32(00000011), ref: 000DD5F0
              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 000DD5FE
              • SelectObject.GDI32(?,00000000), ref: 000DD60F
              • SetBkColor.GDI32(?,00000000), ref: 000DD618
              • SelectObject.GDI32(?,?), ref: 000DD625
              • InflateRect.USER32(?,000000FF,000000FF), ref: 000DD644
              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000DD65B
              • GetWindowLongW.USER32(00000000,000000F0), ref: 000DD670
              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000DD698
              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 000DD6BF
              • InflateRect.USER32(?,000000FD,000000FD), ref: 000DD6DD
              • DrawFocusRect.USER32(?,?), ref: 000DD6E8
              • GetSysColor.USER32(00000011), ref: 000DD6F6
              • SetTextColor.GDI32(?,00000000), ref: 000DD6FE
              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 000DD712
              • SelectObject.GDI32(?,000DD2A5), ref: 000DD729
              • DeleteObject.GDI32(?), ref: 000DD734
              • SelectObject.GDI32(?,?), ref: 000DD73A
              • DeleteObject.GDI32(?), ref: 000DD73F
              • SetTextColor.GDI32(?,?), ref: 000DD745
              • SetBkColor.GDI32(?,?), ref: 000DD74F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
              • String ID: @U=u
              • API String ID: 1996641542-2594219639
              • Opcode ID: bda91ead3c8c02f627040b578655178005ea091133dc0e8a6377ba3d3248ccb0
              • Instruction ID: c3b2cb255ce9e6cfd42cef0ac0acce972bdd6456b62cc54cac26086b7c934d8b
              • Opcode Fuzzy Hash: bda91ead3c8c02f627040b578655178005ea091133dc0e8a6377ba3d3248ccb0
              • Instruction Fuzzy Hash: A0514F71900608BFEF109FA4DC48EAE7BBAFF09324F104516F915AB2A1D7759A40EF60
              Function 000BDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 000BDBD6
              • GetDriveTypeW.KERNEL32(?,0010DC54,?,\\.\,0010DC00), ref: 000BDCC3
              • SetErrorMode.KERNEL32(00000000,0010DC54,?,\\.\,0010DC00), ref: 000BDE29
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ErrorMode$DriveType
              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
              • API String ID: 2907320926-4222207086
              • Opcode ID: e0492f98ebc5b90db83a5042754da590b53b2de8a17fa4b8e051108e6e52a523
              • Instruction ID: 9ad870fc77c8f74a51634edff4da9a9386b04ebd8034d163575ced6f0df78098
              • Opcode Fuzzy Hash: e0492f98ebc5b90db83a5042754da590b53b2de8a17fa4b8e051108e6e52a523
              • Instruction Fuzzy Hash: 4A51C530648302ABC620EF10D892CEDF7E1FB94701F10491BF0A7A7292EB74D965DB46
              Function 000DC6E9 Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 447windowCOMMON
              Download Yara Rule
              APIs
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 000DC788
              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 000DC83E
              • SendMessageW.USER32(?,00001102,00000002,?), ref: 000DC859
              • SendMessageW.USER32(?,000000F1,?,00000000), ref: 000DCB15
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend$Window
              • String ID: 0$@U=u
              • API String ID: 2326795674-975001249
              • Opcode ID: aa683b717c53836be8ca723bc12a119f843b5b2fcf43f08bb6f96e8f9eb976a1
              • Instruction ID: bf1ba85ae17de9d523defaf94c8f0f4afec5b46fdf48f1b3d29a1359dd20e6b8
              • Opcode Fuzzy Hash: aa683b717c53836be8ca723bc12a119f843b5b2fcf43f08bb6f96e8f9eb976a1
              • Instruction Fuzzy Hash: 27F1AF71204302ABF7618F24C849FAABBE5FF49354F08052BF599D63A1C774C941DBA2
              Function 0007CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
              • API String ID: 1038674560-86951937
              • Opcode ID: f11837458410f0ecb572a07eb08bf712cb1f60d88333d13c11c184421161d609
              • Instruction ID: 3379cc972933ffa5fd60ba35cce87020a872356d86203e06f026c4f1a30864f2
              • Opcode Fuzzy Hash: f11837458410f0ecb572a07eb08bf712cb1f60d88333d13c11c184421161d609
              • Instruction Fuzzy Hash: E7810870A40255ABEB25AAA5DC43FEF77ADAF14300F048039F9497A1C3EB74DA41D395
              Function 000D638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,0010DC00), ref: 000D6449
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
              • API String ID: 3964851224-45149045
              • Opcode ID: 4bb1d0fb1771ef0544e524e2a37cdd16c0075a0c80675dde774bfe56f6138e90
              • Instruction ID: 0f48d01d10b7cdc48269646cf38e910c51e995464eb2158b546625604be556ef
              • Opcode Fuzzy Hash: 4bb1d0fb1771ef0544e524e2a37cdd16c0075a0c80675dde774bfe56f6138e90
              • Instruction Fuzzy Hash: 80C190306083558BCB14FF50C551AAE77E5BF95344F00485AF88A6B3A7DB22ED4BCB92
              Function 000DB6C4 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 400windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 000DB7B0
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000DB7C1
              • CharNextW.USER32(0000014E), ref: 000DB7F0
              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 000DB831
              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 000DB847
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000DB858
              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 000DB875
              • SetWindowTextW.USER32(?,0000014E), ref: 000DB8C7
              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 000DB8DD
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 000DB90E
              • _memset.LIBCMT ref: 000DB933
              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 000DB97C
              • _memset.LIBCMT ref: 000DB9DB
              • SendMessageW.USER32 ref: 000DBA05
              • SendMessageW.USER32(?,00001074,?,00000001), ref: 000DBA5D
              • SendMessageW.USER32(?,0000133D,?,?), ref: 000DBB0A
              • InvalidateRect.USER32(?,00000000,00000001), ref: 000DBB2C
              • GetMenuItemInfoW.USER32(?), ref: 000DBB76
              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 000DBBA3
              • DrawMenuBar.USER32(?), ref: 000DBBB2
              • SetWindowTextW.USER32(?,0000014E), ref: 000DBBDA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
              • String ID: 0$@U=u
              • API String ID: 1073566785-975001249
              • Opcode ID: 3561faa207a4bdc966375dd2e266f582cf41fd137f3f5383d9780a8dfd5bad12
              • Instruction ID: aea9aa61d511f57bf76fd9456697ac47c909c4b3c6ed3f8b6a935bd357f3fc72
              • Opcode Fuzzy Hash: 3561faa207a4bdc966375dd2e266f582cf41fd137f3f5383d9780a8dfd5bad12
              • Instruction Fuzzy Hash: E2E17CB1900318EBDF209FA5CC85AFE7BB8EF09714F118157F919AA291DB748A41DF60
              Function 000D764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 000D778A
              • GetDesktopWindow.USER32 ref: 000D779F
              • GetWindowRect.USER32(00000000), ref: 000D77A6
              • GetWindowLongW.USER32(?,000000F0), ref: 000D7808
              • DestroyWindow.USER32(?), ref: 000D7834
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 000D785D
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000D787B
              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 000D78A1
              • SendMessageW.USER32(?,00000421,?,?), ref: 000D78B6
              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 000D78C9
              • IsWindowVisible.USER32(?), ref: 000D78E9
              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 000D7904
              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 000D7918
              • GetWindowRect.USER32(?,?), ref: 000D7930
              • MonitorFromPoint.USER32(?,?,00000002), ref: 000D7956
              • GetMonitorInfoW.USER32 ref: 000D7970
              • CopyRect.USER32(?,?), ref: 000D7987
              • SendMessageW.USER32(?,00000412,00000000), ref: 000D79F2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
              • String ID: ($0$tooltips_class32
              • API String ID: 698492251-4156429822
              • Opcode ID: dfc2edf895bd48e617db6c049b700bc59d1bfbc71a88039c0414d6bd18ec79e2
              • Instruction ID: 80290bfe6946a9e516c9ba9a3bba8b5fd2f6358b8c86f315a83fddfaed803264
              • Opcode Fuzzy Hash: dfc2edf895bd48e617db6c049b700bc59d1bfbc71a88039c0414d6bd18ec79e2
              • Instruction Fuzzy Hash: B2B18E71608301AFD754DF64C848B6ABBE5FF88310F00891EF59D9B292EB74E805DBA5
              Function 000B6CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
              Download Yara Rule
              APIs
              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 000B6CFB
              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 000B6D21
              • _wcscpy.LIBCMT ref: 000B6D4F
              • _wcscmp.LIBCMT ref: 000B6D5A
              • _wcscat.LIBCMT ref: 000B6D70
              • _wcsstr.LIBCMT ref: 000B6D7B
              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 000B6D97
              • _wcscat.LIBCMT ref: 000B6DE0
              • _wcscat.LIBCMT ref: 000B6DE7
              • _wcsncpy.LIBCMT ref: 000B6E12
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
              • API String ID: 699586101-1459072770
              • Opcode ID: 2df94a94c44e968b285e3ebfb730ba038d4acbabd5ca37017a48b1625bf15960
              • Instruction ID: 70cad3d53f68055a094f302e13bb546732570d62565eb64ebcb5173aabb307ff
              • Opcode Fuzzy Hash: 2df94a94c44e968b285e3ebfb730ba038d4acbabd5ca37017a48b1625bf15960
              • Instruction Fuzzy Hash: 7D41C072A00201BBEB10BB749D47EFF77ACEF45710F04002AF905A6183EB79DA41A7A5
              Function 0008A856 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 285windowtimeCOMMON
              Download Yara Rule
              APIs
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0008A939
              • GetSystemMetrics.USER32(00000007), ref: 0008A941
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0008A96C
              • GetSystemMetrics.USER32(00000008), ref: 0008A974
              • GetSystemMetrics.USER32(00000004), ref: 0008A999
              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0008A9B6
              • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0008A9C6
              • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0008A9F9
              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0008AA0D
              • GetClientRect.USER32(00000000,000000FF), ref: 0008AA2B
              • GetStockObject.GDI32(00000011), ref: 0008AA47
              • SendMessageW.USER32(00000000,00000030,00000000), ref: 0008AA52
                • Part of subcall function 0008B63C: GetCursorPos.USER32(000000FF), ref: 0008B64F
                • Part of subcall function 0008B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0008B66C
                • Part of subcall function 0008B63C: GetAsyncKeyState.USER32(00000001), ref: 0008B691
                • Part of subcall function 0008B63C: GetAsyncKeyState.USER32(00000002), ref: 0008B69F
              • SetTimer.USER32(00000000,00000000,00000028,0008AB87), ref: 0008AA79
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
              • String ID: @U=u$AutoIt v3 GUI
              • API String ID: 1458621304-2077007950
              • Opcode ID: d04775ce762d6a74ca8552cda6e43c9e016bc6f9612040c05406f374dccfbe3b
              • Instruction ID: c31b9e00f32aca09acc1880a25cba2266c9f7fdb268664d7030956211b2c8584
              • Opcode Fuzzy Hash: d04775ce762d6a74ca8552cda6e43c9e016bc6f9612040c05406f374dccfbe3b
              • Instruction Fuzzy Hash: C4B18E71A0020AAFEB14EFA8DC45BED7BB5FB08314F15422AFA55E7690DB74E840CB51
              Function 000AEA9D Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 168windowtimeCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00000063), ref: 000AEAB0
              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 000AEAC2
              • SetWindowTextW.USER32(?,?), ref: 000AEAD9
              • GetDlgItem.USER32(?,000003EA), ref: 000AEAEE
              • SetWindowTextW.USER32(00000000,?), ref: 000AEAF4
              • GetDlgItem.USER32(?,000003E9), ref: 000AEB04
              • SetWindowTextW.USER32(00000000,?), ref: 000AEB0A
              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 000AEB2B
              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 000AEB45
              • GetWindowRect.USER32(?,?), ref: 000AEB4E
              • SetWindowTextW.USER32(?,?), ref: 000AEBB9
              • GetDesktopWindow.USER32 ref: 000AEBBF
              • GetWindowRect.USER32(00000000), ref: 000AEBC6
              • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 000AEC12
              • GetClientRect.USER32(?,?), ref: 000AEC1F
              • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 000AEC44
              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 000AEC6F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
              • String ID: @U=u
              • API String ID: 3869813825-2594219639
              • Opcode ID: 17b4cb44dc5fef7df880e79b27e22d3336a6423f87f24a9e9020ae7b143ea19b
              • Instruction ID: aee37788f4e06113473f2010d83c1b3488b3e57b06169756b21e7dbc1d17e87a
              • Opcode Fuzzy Hash: 17b4cb44dc5fef7df880e79b27e22d3336a6423f87f24a9e9020ae7b143ea19b
              • Instruction Fuzzy Hash: 8C514D71900749EFEB209FA8CD89FAFBBF5FF04704F004929E696A25A1D774A944DB10
              Function 00072EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$Foreground
              • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
              • API String ID: 62970417-1919597938
              • Opcode ID: f962bd7c8720d297d9bab49a7ab80ae291652c0237802b80962855c1a41d85ac
              • Instruction ID: 686bb7d6634bcd7c095d5633e8ee73a3d0643934ae1f957c6f9ac2883510090a
              • Opcode Fuzzy Hash: f962bd7c8720d297d9bab49a7ab80ae291652c0237802b80962855c1a41d85ac
              • Instruction Fuzzy Hash: EBD1C830508682AFCB14EF61C441AEEBBB4BF54340F00892DF59A675A2DB34E95ADB91
              Function 000D6BC9 Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 281windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 000D6C56
              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 000D6D16
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: BuffCharMessageSendUpper
              • String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
              • API String ID: 3974292440-1753161424
              • Opcode ID: 9dc89b9f7a9f946c77397e9676d282262f7f11f0a44197b1b3716db8505dc33b
              • Instruction ID: 1d805fb226d74d4c9b859f38fb729bf70eac68aa96facf68046f2e7d8cb5f00d
              • Opcode Fuzzy Hash: 9dc89b9f7a9f946c77397e9676d282262f7f11f0a44197b1b3716db8505dc33b
              • Instruction Fuzzy Hash: 8CA18D306043419BCB14EF20D951ABAB3E6FF55314F10896AB89AAB3D3DB35EC06CB51
              Function 000DE731 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 129filecommemoryCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 000DE754
              • GetFileSize.KERNEL32(00000000,00000000), ref: 000DE76B
              • GlobalAlloc.KERNEL32(00000002,00000000), ref: 000DE776
              • CloseHandle.KERNEL32(00000000), ref: 000DE783
              • GlobalLock.KERNEL32(00000000), ref: 000DE78C
              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 000DE79B
              • GlobalUnlock.KERNEL32(00000000), ref: 000DE7A4
              • CloseHandle.KERNEL32(00000000), ref: 000DE7AB
              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 000DE7BC
              • OleLoadPicture.OLEAUT32(?,00000000,00000000,000FD9BC,?), ref: 000DE7D5
              • GlobalFree.KERNEL32(00000000), ref: 000DE7E5
              • GetObjectW.GDI32(?,00000018,000000FF), ref: 000DE809
              • CopyImage.USER32(?,00000000,?,?,00002000), ref: 000DE834
              • DeleteObject.GDI32(00000000), ref: 000DE85C
              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 000DE872
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
              • String ID: @U=u
              • API String ID: 3840717409-2594219639
              • Opcode ID: edcbcede0f635ebd090438d9711416b7143f59823846729c28c296bb1e59dab6
              • Instruction ID: acd3b62e8e72b4e0e1ffda8da09c4c35bd75b97560abde279a92970f10a4da1e
              • Opcode Fuzzy Hash: edcbcede0f635ebd090438d9711416b7143f59823846729c28c296bb1e59dab6
              • Instruction Fuzzy Hash: 94414975600204FFEB519F65DC88EAE7BBAFF89715F10405AF909DB260CB349941EB60
              Function 000D3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
              Download Yara Rule
              APIs
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000D3735
              • RegCreateKeyExW.ADVAPI32(?,?,00000000,0010DC00,00000000,?,00000000,?,?), ref: 000D37A3
              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 000D37EB
              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 000D3874
              • RegCloseKey.ADVAPI32(?), ref: 000D3B94
              • RegCloseKey.ADVAPI32(00000000), ref: 000D3BA1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Close$ConnectCreateRegistryValue
              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
              • API String ID: 536824911-966354055
              • Opcode ID: 8acf1ec1201a85f3f0968c2d3db1c5dae1786fbc137b897407354c200a9469e2
              • Instruction ID: a81f72cb2f4ead4665d35bab744c964f9e1294cdd3bf5a7329508d82b28d09d2
              • Opcode Fuzzy Hash: 8acf1ec1201a85f3f0968c2d3db1c5dae1786fbc137b897407354c200a9469e2
              • Instruction Fuzzy Hash: 31025C756046019FDB14EF14C855A6EB7E5FF88720F04845EF98A9B3A2CB34EE01CB96
              Function 000ACF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(?,?,00000100), ref: 000ACF91
              • __swprintf.LIBCMT ref: 000AD032
              • _wcscmp.LIBCMT ref: 000AD045
              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 000AD09A
              • _wcscmp.LIBCMT ref: 000AD0D6
              • GetClassNameW.USER32(?,?,00000400), ref: 000AD10D
              • GetDlgCtrlID.USER32(?), ref: 000AD15F
              • GetWindowRect.USER32(?,?), ref: 000AD195
              • GetParent.USER32(?), ref: 000AD1B3
              • ScreenToClient.USER32(00000000), ref: 000AD1BA
              • GetClassNameW.USER32(?,?,00000100), ref: 000AD234
              • _wcscmp.LIBCMT ref: 000AD248
              • GetWindowTextW.USER32(?,?,00000400), ref: 000AD26E
              • _wcscmp.LIBCMT ref: 000AD282
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
              • String ID: %s%u
              • API String ID: 3119225716-679674701
              • Opcode ID: 2c9087b49b86901b5b5e1d6824f3940aa90cdbf304018c3d7857ee90bcdaa79e
              • Instruction ID: ef3dd19a89c1017577c883a86903c7fed247a41c6929b46ca7033ffb51c84d9c
              • Opcode Fuzzy Hash: 2c9087b49b86901b5b5e1d6824f3940aa90cdbf304018c3d7857ee90bcdaa79e
              • Instruction Fuzzy Hash: 06A1F371604306AFDB14DFA4C884FEAB7E9FF55304F00862AF99AD2581DB30EA05CB91
              Function 000AD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(00000008,?,00000400), ref: 000AD8EB
              • _wcscmp.LIBCMT ref: 000AD8FC
              • GetWindowTextW.USER32(00000001,?,00000400), ref: 000AD924
              • CharUpperBuffW.USER32(?,00000000), ref: 000AD941
              • _wcscmp.LIBCMT ref: 000AD95F
              • _wcsstr.LIBCMT ref: 000AD970
              • GetClassNameW.USER32(00000018,?,00000400), ref: 000AD9A8
              • _wcscmp.LIBCMT ref: 000AD9B8
              • GetWindowTextW.USER32(00000002,?,00000400), ref: 000AD9DF
              • GetClassNameW.USER32(00000018,?,00000400), ref: 000ADA28
              • _wcscmp.LIBCMT ref: 000ADA38
              • GetClassNameW.USER32(00000010,?,00000400), ref: 000ADA60
              • GetWindowRect.USER32(00000004,?), ref: 000ADAC9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
              • String ID: @$ThumbnailClass
              • API String ID: 1788623398-1539354611
              • Opcode ID: d506ac4dba889a8ba43c4665133aca2dfac294b9b757c0e960260cedc814a992
              • Instruction ID: 3cf72b0dc2cb7298f3c112a19d86e5bc3a8044c1c639b8ce4d3517e93765e5f8
              • Opcode Fuzzy Hash: d506ac4dba889a8ba43c4665133aca2dfac294b9b757c0e960260cedc814a992
              • Instruction Fuzzy Hash: 7781C0711083059FDB01DF90C885FAA7BE8EF86714F04846BFD8A9A496DB34DE45CBA1
              Function 000DCE58 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000DCEFB
              • DestroyWindow.USER32(?,?), ref: 000DCF73
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 000DCFF4
              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 000DD016
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000DD025
              • DestroyWindow.USER32(?), ref: 000DD042
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00070000,00000000), ref: 000DD075
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000DD094
              • GetDesktopWindow.USER32 ref: 000DD0A9
              • GetWindowRect.USER32(00000000), ref: 000DD0B0
              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 000DD0C2
              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 000DD0DA
                • Part of subcall function 0008B526: GetWindowLongW.USER32(?,000000EB), ref: 0008B537
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
              • String ID: 0$@U=u$tooltips_class32
              • API String ID: 3877571568-1130792468
              • Opcode ID: 57c5b03faec15be2b3633923fd77de16b367763c3ba4c786255729754f865966
              • Instruction ID: bca2c52a318a7b7ca9fe5ab00e01fc7c15b84ded6709e471ea91e575730ce4e6
              • Opcode Fuzzy Hash: 57c5b03faec15be2b3633923fd77de16b367763c3ba4c786255729754f865966
              • Instruction Fuzzy Hash: 1E718CB4140305AFE720CF68CC85FAA7BE5EB89704F04491EF985873A1D774E942DB22
              Function 000DF351 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 178windowfileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008B34E: GetWindowLongW.USER32(?,000000EB), ref: 0008B35F
              • DragQueryPoint.SHELL32(?,?), ref: 000DF37A
                • Part of subcall function 000DD7DE: ClientToScreen.USER32(?,?), ref: 000DD807
                • Part of subcall function 000DD7DE: GetWindowRect.USER32(?,?), ref: 000DD87D
                • Part of subcall function 000DD7DE: PtInRect.USER32(?,?,000DED5A), ref: 000DD88D
              • SendMessageW.USER32(?,000000B0,?,?), ref: 000DF3E3
              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 000DF3EE
              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 000DF411
              • _wcscat.LIBCMT ref: 000DF441
              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 000DF458
              • SendMessageW.USER32(?,000000B0,?,?), ref: 000DF471
              • SendMessageW.USER32(?,000000B1,?,?), ref: 000DF488
              • SendMessageW.USER32(?,000000B1,?,?), ref: 000DF4AA
              • DragFinish.SHELL32(?), ref: 000DF4B1
              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 000DF59C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
              • API String ID: 169749273-762882726
              • Opcode ID: dcacb97d7bd3f299730b9262bd5e89b1e1c6fa1d32be8df25a822cc415afa92b
              • Instruction ID: 3b0396f6ae426548d34a0abea7366f884d1d461d7d7d9c28fef000678d8c8be7
              • Opcode Fuzzy Hash: dcacb97d7bd3f299730b9262bd5e89b1e1c6fa1d32be8df25a822cc415afa92b
              • Instruction Fuzzy Hash: 21615971508301AFD301EF64DC45DAFBBE9FF89714F004A1EF595921A2DB749A09CB62
              Function 000AD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
              • API String ID: 1038674560-1810252412
              • Opcode ID: f33f8deb172d4e85f123d2703dde7101900eac811817f9f335f974417e6cdb6f
              • Instruction ID: d00eb2d9c2893161f549c4dc0b65bb986df178857a90c27056f96be3e51ddf33
              • Opcode Fuzzy Hash: f33f8deb172d4e85f123d2703dde7101900eac811817f9f335f974417e6cdb6f
              • Instruction Fuzzy Hash: A831BE31A48205BADB28EB90ED53EEEB3B49F21711F60002AF446714D2FF66AF24D655
              Function 000C79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
              Download Yara Rule
              APIs
              • LoadCursorW.USER32(00000000,00007F8A), ref: 000C79C6
              • LoadCursorW.USER32(00000000,00007F00), ref: 000C79D1
              • LoadCursorW.USER32(00000000,00007F03), ref: 000C79DC
              • LoadCursorW.USER32(00000000,00007F8B), ref: 000C79E7
              • LoadCursorW.USER32(00000000,00007F01), ref: 000C79F2
              • LoadCursorW.USER32(00000000,00007F81), ref: 000C79FD
              • LoadCursorW.USER32(00000000,00007F88), ref: 000C7A08
              • LoadCursorW.USER32(00000000,00007F80), ref: 000C7A13
              • LoadCursorW.USER32(00000000,00007F86), ref: 000C7A1E
              • LoadCursorW.USER32(00000000,00007F83), ref: 000C7A29
              • LoadCursorW.USER32(00000000,00007F85), ref: 000C7A34
              • LoadCursorW.USER32(00000000,00007F82), ref: 000C7A3F
              • LoadCursorW.USER32(00000000,00007F84), ref: 000C7A4A
              • LoadCursorW.USER32(00000000,00007F04), ref: 000C7A55
              • LoadCursorW.USER32(00000000,00007F02), ref: 000C7A60
              • LoadCursorW.USER32(00000000,00007F89), ref: 000C7A6B
              • GetCursorInfo.USER32(?), ref: 000C7A7B
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Cursor$Load$Info
              • String ID:
              • API String ID: 2577412497-0
              • Opcode ID: 7ebf6c5dc3720480cb3482fd22443d4180670df6a377b6a01bfecdf53e068765
              • Instruction ID: e13d22903549e5f06f92e1f4d9a567bee8857bfb64ee4a66e7fcae3948f9675b
              • Opcode Fuzzy Hash: 7ebf6c5dc3720480cb3482fd22443d4180670df6a377b6a01bfecdf53e068765
              • Instruction Fuzzy Hash: 7C3116B0D083196ADB509FB68C89D5FBEE8FF44750F50452AA50DE7180DA78A5008F91
              Function 0007C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0007C8B7,?,00002000,?,?,00000000,?,0007419E,?,?,?,0010DC00), ref: 0008E984
                • Part of subcall function 0007660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000753B1,?,?,000761FF,?,00000000,00000001,00000000), ref: 0007662F
              • __wsplitpath.LIBCMT ref: 0007C93E
                • Part of subcall function 00091DFC: __wsplitpath_helper.LIBCMT ref: 00091E3C
              • _wcscpy.LIBCMT ref: 0007C953
              • _wcscat.LIBCMT ref: 0007C968
              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0007C978
              • SetCurrentDirectoryW.KERNEL32(?), ref: 0007CABE
                • Part of subcall function 0007B337: _wcscpy.LIBCMT ref: 0007B36F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
              • API String ID: 2258743419-1018226102
              • Opcode ID: e9b8f030e752c0634d09a74133ef8244c5bd56900e47411cd7193f2d0ed52e29
              • Instruction ID: df70a3b39995c610dec46dffd6b544fb42ae7ac7d5c930582908b86b4247831f
              • Opcode Fuzzy Hash: e9b8f030e752c0634d09a74133ef8244c5bd56900e47411cd7193f2d0ed52e29
              • Instruction Fuzzy Hash: 30127B719083419FD724EF24C881AEFBBE5BF99304F04491EF589A3262DB34DA49CB56
              Function 000D716A Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 244windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 000D71FC
              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000D7247
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: BuffCharMessageSendUpper
              • String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
              • API String ID: 3974292440-383632319
              • Opcode ID: 88bdb9e0a48529159edc986b67ce1ac73fd65687b36821e8030b30018013b8fb
              • Instruction ID: d941c707da06d1ac943501626dda78c7bbe1dd37b6aa6e70469c9fe7b9c73afa
              • Opcode Fuzzy Hash: 88bdb9e0a48529159edc986b67ce1ac73fd65687b36821e8030b30018013b8fb
              • Instruction Fuzzy Hash: 599182306087419BCB14EF10C551AAEB7E1BF55314F00885EF99A6B3A3DB34ED4ACB95
              Function 000DE4F5 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 199windowlibraryCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 000DE5AB
              • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,000D9808,?), ref: 000DE607
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000DE647
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000DE68C
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000DE6C3
              • FreeLibrary.KERNEL32(?,00000004,?,?,?,000D9808,?), ref: 000DE6CF
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000DE6DF
              • DestroyIcon.USER32(?), ref: 000DE6EE
              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 000DE70B
              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 000DE717
                • Part of subcall function 00090FA7: __wcsicmp_l.LIBCMT ref: 00091030
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
              • String ID: .dll$.exe$.icl$@U=u
              • API String ID: 1212759294-1639919054
              • Opcode ID: e574c5477df81b64431329bf8a22975b97fd3bc880cf8793d3423dc43deebb1b
              • Instruction ID: 95bda6aab4078eb8b599f72537f2d95effe26fbf795667dc7326db4102805f4c
              • Opcode Fuzzy Hash: e574c5477df81b64431329bf8a22975b97fd3bc880cf8793d3423dc43deebb1b
              • Instruction Fuzzy Hash: 6661DE71500759BAEB20AF64DC42BFE7BA8BB18750F104116F915DA1D1EB74DA80DBA0
              Function 000BAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(00000000), ref: 000BAB3D
              • VariantCopy.OLEAUT32(?,?), ref: 000BAB46
              • VariantClear.OLEAUT32(?), ref: 000BAB52
              • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 000BAC40
              • __swprintf.LIBCMT ref: 000BAC70
              • VarR8FromDec.OLEAUT32(?,?), ref: 000BAC9C
              • VariantInit.OLEAUT32(?), ref: 000BAD4D
              • SysFreeString.OLEAUT32(00000016), ref: 000BADDF
              • VariantClear.OLEAUT32(?), ref: 000BAE35
              • VariantClear.OLEAUT32(?), ref: 000BAE44
              • VariantInit.OLEAUT32(00000000), ref: 000BAE80
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
              • String ID: %4d%02d%02d%02d%02d%02d$Default
              • API String ID: 3730832054-3931177956
              • Opcode ID: ee5d82f9a13858b38906973d11cb8763ddc6f29d36ec5a5c197040f09e89c105
              • Instruction ID: 0f06df7717060b3af303425e7601246b71c87fb6b883272d0cf51d88923df0e7
              • Opcode Fuzzy Hash: ee5d82f9a13858b38906973d11cb8763ddc6f29d36ec5a5c197040f09e89c105
              • Instruction Fuzzy Hash: BBD1BD72B04216DBDB20AF69D885FFEB7B5FF06700F148456E4259B182DB74E840DBA2
              Function 000BD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0007936C: __swprintf.LIBCMT ref: 000793AB
                • Part of subcall function 0007936C: __itow.LIBCMT ref: 000793DF
              • CharLowerBuffW.USER32(?,?), ref: 000BD292
              • GetDriveTypeW.KERNEL32 ref: 000BD2DF
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000BD327
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000BD35E
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000BD38C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
              • API String ID: 1148790751-4113822522
              • Opcode ID: c3015b6bb7b52ae962c40e12809e797cc42f9dcfd6f511647781eae651b0bd5b
              • Instruction ID: f607daec6162c7ae80fd1bcbb0ccc9e93f5cb76b8599b5ebff33893ecec21c15
              • Opcode Fuzzy Hash: c3015b6bb7b52ae962c40e12809e797cc42f9dcfd6f511647781eae651b0bd5b
              • Instruction Fuzzy Hash: 84513D71504705AFC700EF10D9819AEB7E4FF98754F00886DF89AA7252EB35EE06CB52
              Function 000B26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,000E3973,00000016,0000138C,00000016,?,00000016,0010DDB4,00000000,?), ref: 000B26F1
              • LoadStringW.USER32(00000000,?,000E3973,00000016), ref: 000B26FA
              • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,000E3973,00000016,0000138C,00000016,?,00000016,0010DDB4,00000000,?,00000016), ref: 000B271C
              • LoadStringW.USER32(00000000,?,000E3973,00000016), ref: 000B271F
              • __swprintf.LIBCMT ref: 000B276F
              • __swprintf.LIBCMT ref: 000B2780
              • _wprintf.LIBCMT ref: 000B2829
              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 000B2840
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: HandleLoadModuleString__swprintf$Message_wprintf
              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
              • API String ID: 618562835-2268648507
              • Opcode ID: 6a876df54e652e9b66a8e0713fbb72fe7c49c1af03d7dc448197b88d77b90b25
              • Instruction ID: 54b1c629001de23e4694cd9d50396dee888d165b71d3ec492b86f7ad390dc619
              • Opcode Fuzzy Hash: 6a876df54e652e9b66a8e0713fbb72fe7c49c1af03d7dc448197b88d77b90b25
              • Instruction Fuzzy Hash: ED416A72C00219AADB14FBE0DE86EEEB378AF15341F504069B50972093EB786F59DB64
              Function 000BD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
              Download Yara Rule
              APIs
              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 000BD0D8
              • __swprintf.LIBCMT ref: 000BD0FA
              • CreateDirectoryW.KERNEL32(?,00000000), ref: 000BD137
              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 000BD15C
              • _memset.LIBCMT ref: 000BD17B
              • _wcsncpy.LIBCMT ref: 000BD1B7
              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 000BD1EC
              • CloseHandle.KERNEL32(00000000), ref: 000BD1F7
              • RemoveDirectoryW.KERNEL32(?), ref: 000BD200
              • CloseHandle.KERNEL32(00000000), ref: 000BD20A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
              • String ID: :$\$\??\%s
              • API String ID: 2733774712-3457252023
              • Opcode ID: 83d2ed804847bc7feaee3b4c8f4d35cf93f9de145989b93afaf7528055cb07b0
              • Instruction ID: 544618d846626df90561c248a1c05fdcc682547107fdd7e0306de9ad0fd57d52
              • Opcode Fuzzy Hash: 83d2ed804847bc7feaee3b4c8f4d35cf93f9de145989b93afaf7528055cb07b0
              • Instruction Fuzzy Hash: 74316EB250010AABEB21DFA4DC49FEF77BDAF89740F1040B6F509D2161E77496459B24
              Function 000C05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
              Download Yara Rule
              APIs
              • __wsplitpath.LIBCMT ref: 000C076F
              • _wcscat.LIBCMT ref: 000C0787
              • _wcscat.LIBCMT ref: 000C0799
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000C07AE
              • SetCurrentDirectoryW.KERNEL32(?), ref: 000C07C2
              • GetFileAttributesW.KERNEL32(?), ref: 000C07DA
              • SetFileAttributesW.KERNEL32(?,00000000), ref: 000C07F4
              • SetCurrentDirectoryW.KERNEL32(?), ref: 000C0806
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
              • String ID: *.*
              • API String ID: 34673085-438819550
              • Opcode ID: fded9e37c08386c786bfa459d194b1d822865620c7995957f91c08d474e37c52
              • Instruction ID: a1ba9824d7d462b6e408be5a4d26476dd46781bf6fc7c80f885dd8371fa48cab
              • Opcode Fuzzy Hash: fded9e37c08386c786bfa459d194b1d822865620c7995957f91c08d474e37c52
              • Instruction Fuzzy Hash: F0818E71604301DFDB64EF64C845EAEB3E8BB88314F14882EF889C7251EB34E955CB92
              Function 000DEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008B34E: GetWindowLongW.USER32(?,000000EB), ref: 0008B35F
              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 000DEF3B
              • GetFocus.USER32 ref: 000DEF4B
              • GetDlgCtrlID.USER32(00000000), ref: 000DEF56
              • _memset.LIBCMT ref: 000DF081
              • GetMenuItemInfoW.USER32 ref: 000DF0AC
              • GetMenuItemCount.USER32(00000000), ref: 000DF0CC
              • GetMenuItemID.USER32(?,00000000), ref: 000DF0DF
              • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 000DF113
              • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 000DF15B
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000DF193
              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 000DF1C8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
              • String ID: 0
              • API String ID: 1296962147-4108050209
              • Opcode ID: a681274bea1319f9abe60ea3c9a797f66775aba5d8dbe623e83351e0594578e0
              • Instruction ID: dbefe327493b17c18eee7bf74dbd76223e155a58cf02c9fc92dfd81adb41be53
              • Opcode Fuzzy Hash: a681274bea1319f9abe60ea3c9a797f66775aba5d8dbe623e83351e0594578e0
              • Instruction Fuzzy Hash: 058169B4504302AFDB20DF14C884ABABBE9FB88714F00852EF99997391D770D945CBA2
              Function 000AA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000AABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 000AABD7
                • Part of subcall function 000AABBB: GetLastError.KERNEL32(?,000AA69F,?,?,?), ref: 000AABE1
                • Part of subcall function 000AABBB: GetProcessHeap.KERNEL32(00000008,?,?,000AA69F,?,?,?), ref: 000AABF0
                • Part of subcall function 000AABBB: HeapAlloc.KERNEL32(00000000,?,000AA69F,?,?,?), ref: 000AABF7
                • Part of subcall function 000AABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 000AAC0E
                • Part of subcall function 000AAC56: GetProcessHeap.KERNEL32(00000008,000AA6B5,00000000,00000000,?,000AA6B5,?), ref: 000AAC62
                • Part of subcall function 000AAC56: HeapAlloc.KERNEL32(00000000,?,000AA6B5,?), ref: 000AAC69
                • Part of subcall function 000AAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,000AA6B5,?), ref: 000AAC7A
              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000AA8CB
              • _memset.LIBCMT ref: 000AA8E0
              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000AA8FF
              • GetLengthSid.ADVAPI32(?), ref: 000AA910
              • GetAce.ADVAPI32(?,00000000,?), ref: 000AA94D
              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000AA969
              • GetLengthSid.ADVAPI32(?), ref: 000AA986
              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 000AA995
              • HeapAlloc.KERNEL32(00000000), ref: 000AA99C
              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 000AA9BD
              • CopySid.ADVAPI32(00000000), ref: 000AA9C4
              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000AA9F5
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000AAA1B
              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 000AAA2F
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
              • String ID:
              • API String ID: 3996160137-0
              • Opcode ID: bddc039239281ed4ae03ba337def22376c8b60e72053a8a2681639f08eec51fb
              • Instruction ID: adce340dfdb84aa67dc958f33d1be8f5e8a52b2157d28df06263231b5e8ae897
              • Opcode Fuzzy Hash: bddc039239281ed4ae03ba337def22376c8b60e72053a8a2681639f08eec51fb
              • Instruction Fuzzy Hash: 16513D75A00209AFDF10DF94DD85EEEBBBAFF06300F04811AF915AB291DB359A05DB61
              Function 000BCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: LoadString__swprintf_wprintf
              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
              • API String ID: 2889450990-2391861430
              • Opcode ID: fc200a18372708c65529bc01834e1b65149d8445e790fc3a5324eda95b52fc4d
              • Instruction ID: 6d881d9c84be3b156b69a75653be07cd0092effde1e01fcd6e3594339e5b4b8b
              • Opcode Fuzzy Hash: fc200a18372708c65529bc01834e1b65149d8445e790fc3a5324eda95b52fc4d
              • Instruction Fuzzy Hash: 0A518D31D00209BADF14EBE0DD42EEEB779AF05300F10416AF519720A2EB756F59DB60
              Function 000BCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: LoadString__swprintf_wprintf
              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
              • API String ID: 2889450990-3420473620
              • Opcode ID: 626b1156574f11babc52464a8a8fe479f2d821a3c191ed3b750deab0b87014e7
              • Instruction ID: 9a3a02b435dd146942f49d713884ad230185845a129ffdfa2887c30027757934
              • Opcode Fuzzy Hash: 626b1156574f11babc52464a8a8fe479f2d821a3c191ed3b750deab0b87014e7
              • Instruction Fuzzy Hash: 45516D31D00219BADF15EBE0DD42EEEB779AF05340F104065F509720A2EB786F99DB61
              Function 000B778F Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON
              Download Yara Rule
              APIs
              • timeGetTime.WINMM ref: 000B7794
                • Part of subcall function 0008DC38: timeGetTime.WINMM(?,753DB400,000E58AB), ref: 0008DC3C
              • Sleep.KERNEL32(0000000A), ref: 000B77C0
              • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 000B77E4
              • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 000B7806
              • SetActiveWindow.USER32 ref: 000B7825
              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 000B7833
              • SendMessageW.USER32(00000010,00000000,00000000), ref: 000B7852
              • Sleep.KERNEL32(000000FA), ref: 000B785D
              • IsWindow.USER32 ref: 000B7869
              • EndDialog.USER32(00000000), ref: 000B787A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
              • String ID: @U=u$BUTTON
              • API String ID: 1194449130-2582809321
              • Opcode ID: 2ef7c5f51d47b7405e5801b262a51e38226c175a349cd0f8cb18fbded470d4c1
              • Instruction ID: 14275ac0ea587e1e0afcb106ca8a9cd78df5bb1fd4afbdd81fc349cf442ec165
              • Opcode Fuzzy Hash: 2ef7c5f51d47b7405e5801b262a51e38226c175a349cd0f8cb18fbded470d4c1
              • Instruction Fuzzy Hash: D92193B0248205AFF7115B20EC8DBBA7F6AFB84749F004025F51A82A72DF799D44EB25
              Function 000B55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000B55D7
              • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 000B5664
              • GetMenuItemCount.USER32(00131708), ref: 000B56ED
              • DeleteMenu.USER32(00131708,00000005,00000000,000000F5,?,?), ref: 000B577D
              • DeleteMenu.USER32(00131708,00000004,00000000), ref: 000B5785
              • DeleteMenu.USER32(00131708,00000006,00000000), ref: 000B578D
              • DeleteMenu.USER32(00131708,00000003,00000000), ref: 000B5795
              • GetMenuItemCount.USER32(00131708), ref: 000B579D
              • SetMenuItemInfoW.USER32(00131708,00000004,00000000,00000030), ref: 000B57D3
              • GetCursorPos.USER32(?), ref: 000B57DD
              • SetForegroundWindow.USER32(00000000), ref: 000B57E6
              • TrackPopupMenuEx.USER32(00131708,00000000,?,00000000,00000000,00000000), ref: 000B57F9
              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 000B5805
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
              • String ID:
              • API String ID: 3993528054-0
              • Opcode ID: d8151c1c60822e972defa39390fd5c2d23445f028a00fd6e185943bc0206d41b
              • Instruction ID: 8eed12539399e25ebe1c270a92255b2f2cd791f0f58c1f9e5786479442fea0fd
              • Opcode Fuzzy Hash: d8151c1c60822e972defa39390fd5c2d23445f028a00fd6e185943bc0206d41b
              • Instruction Fuzzy Hash: 2871F170640A05BEFB209B54DC89FEABFA5FF04369F244246F618AB1D1CBB16C10DB95
              Function 000AA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000AA1DC
              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 000AA211
              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 000AA22D
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 000AA249
              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 000AA273
              • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 000AA29B
              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000AA2A6
              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000AA2AB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
              • API String ID: 1687751970-22481851
              • Opcode ID: a7eb36656076ed0d8ca645c3b2cdbb7801053cd1a5029afb196e1213bfc0e7da
              • Instruction ID: fe60ee4be514cd5b5a9113385084323e061a1210cd047537b4b898cb6af31b2d
              • Opcode Fuzzy Hash: a7eb36656076ed0d8ca645c3b2cdbb7801053cd1a5029afb196e1213bfc0e7da
              • Instruction Fuzzy Hash: 59411672C10229ABDB21EBA4DC85EEDB7B8FF05340F00802AF805B31A1EB759E15DB50
              Function 000D3C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,000D2BB5,?,?), ref: 000D3C1D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
              • API String ID: 3964851224-909552448
              • Opcode ID: 2eafd80ad5a34bb40584bfef12d5d1ca98dbff7a37f81901b138ab102b5679d6
              • Instruction ID: 1d131e7b9cd14a005ecebbe1031fce28bc977065bed9fca28af127af935cfe5b
              • Opcode Fuzzy Hash: 2eafd80ad5a34bb40584bfef12d5d1ca98dbff7a37f81901b138ab102b5679d6
              • Instruction Fuzzy Hash: E6414F3051438A8BDF10FF10E951AEB3366BF12340F104815FC956B296EB70AE1ACF61
              Function 000DA1B6 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON
              Download Yara Rule
              APIs
              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 000DA259
              • CreateCompatibleDC.GDI32(00000000), ref: 000DA260
              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 000DA273
              • SelectObject.GDI32(00000000,00000000), ref: 000DA27B
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 000DA286
              • DeleteDC.GDI32(00000000), ref: 000DA28F
              • GetWindowLongW.USER32(?,000000EC), ref: 000DA299
              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 000DA2AD
              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 000DA2B9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
              • String ID: @U=u$static
              • API String ID: 2559357485-3553413495
              • Opcode ID: 52d36fe89819c60a6d95e9c185a4d441f940ce1946935ea08581a36a1100f012
              • Instruction ID: bc08d68d3653dd154a8b3b0a7df87b95937bee4c327fa2f156944eae2ee235d7
              • Opcode Fuzzy Hash: 52d36fe89819c60a6d95e9c185a4d441f940ce1946935ea08581a36a1100f012
              • Instruction Fuzzy Hash: 61317231100215BBEF115FA5DC49FFA3B69FF0A760F100216FA19961A0C735D811EB65
              Function 000B25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,000E36F4,00000010,?,Bad directive syntax error,0010DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 000B25D6
              • LoadStringW.USER32(00000000,?,000E36F4,00000010), ref: 000B25DD
              • _wprintf.LIBCMT ref: 000B2610
              • __swprintf.LIBCMT ref: 000B2632
              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 000B26A1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: HandleLoadMessageModuleString__swprintf_wprintf
              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
              • API String ID: 1080873982-4153970271
              • Opcode ID: 0a9781316bb74e9d3d4fc5834e15d174c7bc97cb0faa907e34093d823b0b4186
              • Instruction ID: e4e317cc54ab7cbf81dfcd8872303d3db5047e4a99a9346234afe666e470d1a1
              • Opcode Fuzzy Hash: 0a9781316bb74e9d3d4fc5834e15d174c7bc97cb0faa907e34093d823b0b4186
              • Instruction Fuzzy Hash: AB217C3190021ABFDF11AB90CC0AEEE7B79BF18304F044459F519620A3EB79A628EB54
              Function 000B7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 000B7B42
              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 000B7B58
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000B7B69
              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 000B7B7B
              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 000B7B8C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: SendString
              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
              • API String ID: 890592661-1007645807
              • Opcode ID: 098ca47ce660d8342ad24d8629fbe26df258954d0f8dc2251fceb0a00105f7d9
              • Instruction ID: af8f5a8a4605307809d7369c761d25c9316c14a5de9b80fe93fd9d9ec0fa7823
              • Opcode Fuzzy Hash: 098ca47ce660d8342ad24d8629fbe26df258954d0f8dc2251fceb0a00105f7d9
              • Instruction Fuzzy Hash: D311ABA1E5026979DB24B761DC4ADFF7BBCEFD1B10F0004197429A70D1EF641A45C9B1
              Function 000C02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0007936C: __swprintf.LIBCMT ref: 000793AB
                • Part of subcall function 0007936C: __itow.LIBCMT ref: 000793DF
              • CoInitialize.OLE32(00000000), ref: 000C034B
              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 000C03DE
              • SHGetDesktopFolder.SHELL32(?), ref: 000C03F2
              • CoCreateInstance.OLE32(000FDA8C,00000000,00000001,00123CF8,?), ref: 000C043E
              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 000C04AD
              • CoTaskMemFree.OLE32(?,?), ref: 000C0505
              • _memset.LIBCMT ref: 000C0542
              • SHBrowseForFolderW.SHELL32(?), ref: 000C057E
              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 000C05A1
              • CoTaskMemFree.OLE32(00000000), ref: 000C05A8
              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 000C05DF
              • CoUninitialize.OLE32(00000001,00000000), ref: 000C05E1
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
              • String ID:
              • API String ID: 1246142700-0
              • Opcode ID: 9c9d189a5ec8977d7f3e12ee32fc1b79974c0a6985383634b5f503c3a9298c20
              • Instruction ID: 2c2942aa0ba286714535d3ac7a3be934b5fee2cebbeddbc518bbf50773fc2350
              • Opcode Fuzzy Hash: 9c9d189a5ec8977d7f3e12ee32fc1b79974c0a6985383634b5f503c3a9298c20
              • Instruction Fuzzy Hash: 2CB1C975A00209EFDB14DFA4C888EAEBBB9FF48304B148459F909EB251DB74EE41CB54
              Function 000B2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 000B2ED6
              • SetKeyboardState.USER32(?), ref: 000B2F41
              • GetAsyncKeyState.USER32(000000A0), ref: 000B2F61
              • GetKeyState.USER32(000000A0), ref: 000B2F78
              • GetAsyncKeyState.USER32(000000A1), ref: 000B2FA7
              • GetKeyState.USER32(000000A1), ref: 000B2FB8
              • GetAsyncKeyState.USER32(00000011), ref: 000B2FE4
              • GetKeyState.USER32(00000011), ref: 000B2FF2
              • GetAsyncKeyState.USER32(00000012), ref: 000B301B
              • GetKeyState.USER32(00000012), ref: 000B3029
              • GetAsyncKeyState.USER32(0000005B), ref: 000B3052
              • GetKeyState.USER32(0000005B), ref: 000B3060
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: 4abc78dd1b82beb7913a4646dd10cd363d39b99838733ba67bfdd80413c1dd4e
              • Instruction ID: 2cf5f971e501b085f79f146741a15aab90cdd5d325ab9df8cd61c53df43b9c4b
              • Opcode Fuzzy Hash: 4abc78dd1b82beb7913a4646dd10cd363d39b99838733ba67bfdd80413c1dd4e
              • Instruction Fuzzy Hash: 3C51B760A0878829FB75EBB488517EABFF49F11340F1845AED5C25A1C3DA549B8CC7A2
              Function 000AED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,00000001), ref: 000AED1E
              • GetWindowRect.USER32(00000000,?), ref: 000AED30
              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 000AED8E
              • GetDlgItem.USER32(?,00000002), ref: 000AED99
              • GetWindowRect.USER32(00000000,?), ref: 000AEDAB
              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 000AEE01
              • GetDlgItem.USER32(?,000003E9), ref: 000AEE0F
              • GetWindowRect.USER32(00000000,?), ref: 000AEE20
              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 000AEE63
              • GetDlgItem.USER32(?,000003EA), ref: 000AEE71
              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 000AEE8E
              • InvalidateRect.USER32(?,00000000,00000001), ref: 000AEE9B
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$ItemMoveRect$Invalidate
              • String ID:
              • API String ID: 3096461208-0
              • Opcode ID: 7079970467f2c5bdf3efa8902f60e64866a6b195d891adc544f5fb5092de2e91
              • Instruction ID: 66260dae834d3b210059817b109e291e7e84626371439a8ba8158a69d6132af8
              • Opcode Fuzzy Hash: 7079970467f2c5bdf3efa8902f60e64866a6b195d891adc544f5fb5092de2e91
              • Instruction Fuzzy Hash: 5D510EB1B00205AFDB18CFA9DD89AAEBBFAFB89701F148129F519D7690D7749D00DB10
              Function 0008B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0008B759,?,00000000,?,?,?,?,0008B72B,00000000,?), ref: 0008BA58
              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0008B72B), ref: 0008B7F6
              • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0008B72B,00000000,?,?,0008B2EF,?,?), ref: 0008B88D
              • DestroyAcceleratorTable.USER32(00000000), ref: 000ED8A6
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0008B72B,00000000,?,?,0008B2EF,?,?), ref: 000ED8D7
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0008B72B,00000000,?,?,0008B2EF,?,?), ref: 000ED8EE
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0008B72B,00000000,?,?,0008B2EF,?,?), ref: 000ED90A
              • DeleteObject.GDI32(00000000), ref: 000ED91C
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
              • String ID:
              • API String ID: 641708696-0
              • Opcode ID: 271263494389e7bf6f1b924d78d73645c12fc737b712991a75f49bfcdad0ab48
              • Instruction ID: 28307ebb7232f56ac81cf1d60f288eaad145a4f296b9de1858f16ccb26ef5a88
              • Opcode Fuzzy Hash: 271263494389e7bf6f1b924d78d73645c12fc737b712991a75f49bfcdad0ab48
              • Instruction Fuzzy Hash: D3617870505740EFEB35AF59DD89B79BBF6FF94312F14051AE482A6A60CBB4A880DB40
              Function 0008B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008B526: GetWindowLongW.USER32(?,000000EB), ref: 0008B537
              • GetSysColor.USER32(0000000F), ref: 0008B438
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ColorLongWindow
              • String ID:
              • API String ID: 259745315-0
              • Opcode ID: cc0f2eae3985098ab97f1f4629a036e07187461d9d68c79cb82c344de726b551
              • Instruction ID: 939436e94e4472993e5d8feb28a6a8e805b8c1aa9f55a1dd0fde1bf3373dd661
              • Opcode Fuzzy Hash: cc0f2eae3985098ab97f1f4629a036e07187461d9d68c79cb82c344de726b551
              • Instruction Fuzzy Hash: 60419330100544AFEB207F28DC8ABB93BA6FB46731F184262FDA59E5E6D7348C41DB21
              Function 000B690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
              • String ID:
              • API String ID: 136442275-0
              • Opcode ID: a0f3e9a4fea93326dd85d6ed0f729c1c5ebcab55725eba319e834c49aeae8bfb
              • Instruction ID: e71ed9005b20c4d0aff63198f3b79485d8a5ffae49c6587f075a8c00c66a0de2
              • Opcode Fuzzy Hash: a0f3e9a4fea93326dd85d6ed0f729c1c5ebcab55725eba319e834c49aeae8bfb
              • Instruction Fuzzy Hash: C7414DB684511CAECF61EB94CC81DDF73BDEF44310F0041A2B659A2042EA31ABE99F51
              Function 000BD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(0010DC00,0010DC00,0010DC00), ref: 000BD7CE
              • GetDriveTypeW.KERNEL32(?,00123A70,00000061), ref: 000BD898
              • _wcscpy.LIBCMT ref: 000BD8C2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: BuffCharDriveLowerType_wcscpy
              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
              • API String ID: 2820617543-1000479233
              • Opcode ID: be685101652fdb540c7f982f35781eb811970247c9913412981af6a09cb29d86
              • Instruction ID: 10335cab863fb4443c4777ac6dc36bf55a36b2e213c73250f21901f2dfdab852
              • Opcode Fuzzy Hash: be685101652fdb540c7f982f35781eb811970247c9913412981af6a09cb29d86
              • Instruction Fuzzy Hash: 21516C35508240AFD710EF14D892AEEF7A5EF94314F10882EF5AA572A2EB319D05CB42
              Function 000DB33A Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 167COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 000DB3F4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID: @U=u
              • API String ID: 634782764-2594219639
              • Opcode ID: 6ba668c0b712de7de6f6356557dbe5a0dee49b4dd43cb97adbcb662058a26f11
              • Instruction ID: 8346448417cd6f11461e91b0a490863290d6d159369ec9a825a0308047a500b6
              • Opcode Fuzzy Hash: 6ba668c0b712de7de6f6356557dbe5a0dee49b4dd43cb97adbcb662058a26f11
              • Instruction Fuzzy Hash: B2518D30600304FBEF309F289C85BAD3BA5AB05364F654017F655E67E2CB71EA80EB60
              Function 0008A699 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 163windowCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 000EDB1B
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000EDB3C
              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000EDB51
              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 000EDB6E
              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000EDB95
              • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0008A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 000EDBA0
              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 000EDBBD
              • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0008A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 000EDBC8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Icon$DestroyExtractImageLoadMessageSend
              • String ID: @U=u
              • API String ID: 1268354404-2594219639
              • Opcode ID: 20de6ba3716b5dcb33bea0d9902c86371cb6fdf00e8cffb83e1b1b0788fca090
              • Instruction ID: 314d167169be809cfc82c9dd2b86cd7df8ca87181bf0539d7d7faed194395e61
              • Opcode Fuzzy Hash: 20de6ba3716b5dcb33bea0d9902c86371cb6fdf00e8cffb83e1b1b0788fca090
              • Instruction Fuzzy Hash: 58516B70600209EFEB20DF69CC81FAA77F5FB49750F10051AF946A7A91E7B4AD90EB50
              Function 0007936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
              Download Yara Rule
              APIs
              • __swprintf.LIBCMT ref: 000793AB
              • __itow.LIBCMT ref: 000793DF
                • Part of subcall function 00091557: _xtow@16.LIBCMT ref: 00091578
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: __itow__swprintf_xtow@16
              • String ID: %.15g$0x%p$False$True
              • API String ID: 1502193981-2263619337
              • Opcode ID: cf382229467a920b2f7eb9c0c3e39458a387abe919c62c9181334de58510959c
              • Instruction ID: 223937c8f3607ccbcbb0ab3bd8212fe5f3cbc1d6e51d559edc5a659d37eaffc4
              • Opcode Fuzzy Hash: cf382229467a920b2f7eb9c0c3e39458a387abe919c62c9181334de58510959c
              • Instruction Fuzzy Hash: 4941E671A04205EFEB64EF74D942EAA73F4EF48300F20846EF14DD7182EA359A41DB50
              Function 000AB907 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 000AB98C
              • GetDlgCtrlID.USER32 ref: 000AB997
              • GetParent.USER32 ref: 000AB9B3
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 000AB9B6
              • GetDlgCtrlID.USER32(?), ref: 000AB9BF
              • GetParent.USER32(?), ref: 000AB9DB
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 000AB9DE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent
              • String ID: @U=u$ComboBox$ListBox
              • API String ID: 1383977212-2258501812
              • Opcode ID: 9448cb24146f3f3876fc2ef9fe5742b3d2ae666c97719e3fef3b1fe93b5da466
              • Instruction ID: 45c45b9df5431cbe8be5d7f119ce842592a0435e644ca3a8e5b0547e1980a397
              • Opcode Fuzzy Hash: 9448cb24146f3f3876fc2ef9fe5742b3d2ae666c97719e3fef3b1fe93b5da466
              • Instruction Fuzzy Hash: 1A21B674900108BFEB04EBA4CC85EFEBBB5EF4A300F10411AF555972D2DB789815EB20
              Function 000AB9F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 80windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 000ABA73
              • GetDlgCtrlID.USER32 ref: 000ABA7E
              • GetParent.USER32 ref: 000ABA9A
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 000ABA9D
              • GetDlgCtrlID.USER32(?), ref: 000ABAA6
              • GetParent.USER32(?), ref: 000ABAC2
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 000ABAC5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent
              • String ID: @U=u$ComboBox$ListBox
              • API String ID: 1383977212-2258501812
              • Opcode ID: 74b6656d582b3ad835cda629ed0fea795e62bf8ed74c0d92d8e5b07d7af82ed3
              • Instruction ID: fe2cdce2712e1886bd18f7497d60b05b68f072e5ae00a3fff5d9d10cc244ec14
              • Opcode Fuzzy Hash: 74b6656d582b3ad835cda629ed0fea795e62bf8ed74c0d92d8e5b07d7af82ed3
              • Instruction Fuzzy Hash: F321D774900108BFEB00EBA4CC85EFEBBB5EF56300F14401AF551D7192DB799915EB20
              Function 000B6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
              • String ID: 0.0.0.0
              • API String ID: 2620052-3771769585
              • Opcode ID: 9d9a53628e9618bbddc989354730a167e44f08a3e19a2127eeecd42d0192d064
              • Instruction ID: 4ee21d68bd49223acc4767e4dc3eb4bb0722ed0a1d520152c5cad928d2a831b8
              • Opcode Fuzzy Hash: 9d9a53628e9618bbddc989354730a167e44f08a3e19a2127eeecd42d0192d064
              • Instruction Fuzzy Hash: C211D571504215AFDB246B64EC0AEFA77A8EF40710F000076F15596081FF799A85E750
              Function 000ABAD7 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 71windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32 ref: 000ABAE3
              • GetClassNameW.USER32(00000000,?,00000100), ref: 000ABAF8
              • _wcscmp.LIBCMT ref: 000ABB0A
              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 000ABB85
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ClassMessageNameParentSend_wcscmp
              • String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
              • API String ID: 1704125052-1428604138
              • Opcode ID: 7515fb9d4c1a5bcea3a6b1edb1777ef9f85d05a490d7b6a08c28152209b926ef
              • Instruction ID: eb345b44ff751f1f43345d915f6b0fe40bcea04d05e744601d3d057da020e84d
              • Opcode Fuzzy Hash: 7515fb9d4c1a5bcea3a6b1edb1777ef9f85d05a490d7b6a08c28152209b926ef
              • Instruction Fuzzy Hash: C0110A76718303FEFA206660EC17DEA379D9B12324B200022F908E58D7FFE199616524
              Function 0009500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00095047
                • Part of subcall function 00097C0E: __getptd_noexit.LIBCMT ref: 00097C0E
              • __gmtime64_s.LIBCMT ref: 000950E0
              • __gmtime64_s.LIBCMT ref: 00095116
              • __gmtime64_s.LIBCMT ref: 00095133
              • __allrem.LIBCMT ref: 00095189
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000951A5
              • __allrem.LIBCMT ref: 000951BC
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000951DA
              • __allrem.LIBCMT ref: 000951F1
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0009520F
              • __invoke_watson.LIBCMT ref: 00095280
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
              • String ID:
              • API String ID: 384356119-0
              • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
              • Instruction ID: 8449a69e3f9d2ceef67484690fb9b8156445b4fd5f2b24665990a7cc3101b5da
              • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
              • Instruction Fuzzy Hash: 1E711472A00B16ABEF159F7ACC41BAAB3E8BF46765F144239F410D6682E770DD409BD0
              Function 000B4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000B4DF8
              • GetMenuItemInfoW.USER32(00131708,000000FF,00000000,00000030), ref: 000B4E59
              • SetMenuItemInfoW.USER32(00131708,00000004,00000000,00000030), ref: 000B4E8F
              • Sleep.KERNEL32(000001F4), ref: 000B4EA1
              • GetMenuItemCount.USER32(?), ref: 000B4EE5
              • GetMenuItemID.USER32(?,00000000), ref: 000B4F01
              • GetMenuItemID.USER32(?,-00000001), ref: 000B4F2B
              • GetMenuItemID.USER32(?,?), ref: 000B4F70
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000B4FB6
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000B4FCA
              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000B4FEB
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
              • String ID:
              • API String ID: 4176008265-0
              • Opcode ID: 1b98fd7dc74e6b1e2006302fac6ac51c4af39fc503bc5a7ea920b75dcaa21239
              • Instruction ID: f50bb0c16b0545632a7ca630df4cfe1803d7c25e57dbde70e2e60b2754a167a1
              • Opcode Fuzzy Hash: 1b98fd7dc74e6b1e2006302fac6ac51c4af39fc503bc5a7ea920b75dcaa21239
              • Instruction Fuzzy Hash: 58618C7190024AAFEB21CFA4D888AFE7BF9FB45708F14006AF451A7252D731AE45DB20
              Function 000D9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 000D9C98
              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 000D9C9B
              • GetWindowLongW.USER32(?,000000F0), ref: 000D9CBF
              • _memset.LIBCMT ref: 000D9CD0
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000D9CE2
              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 000D9D5A
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend$LongWindow_memset
              • String ID:
              • API String ID: 830647256-0
              • Opcode ID: 12efcbb96cbe98c42c13ebecb68e60f7a8a7076cad23d5a6cc2433b9baac3d29
              • Instruction ID: 6af54f7ddba614b8979455aa7afd5fa9f72e2b7a3bc56a65afa73bff127cf23a
              • Opcode Fuzzy Hash: 12efcbb96cbe98c42c13ebecb68e60f7a8a7076cad23d5a6cc2433b9baac3d29
              • Instruction Fuzzy Hash: 77616BB5A00248AFDB10DFA4CC81EEEB7B9EF09714F14415AFA05E7391D774A941DB60
              Function 000A94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
              Download Yara Rule
              APIs
              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 000A94FE
              • SafeArrayAllocData.OLEAUT32(?), ref: 000A9549
              • VariantInit.OLEAUT32(?), ref: 000A955B
              • SafeArrayAccessData.OLEAUT32(?,?), ref: 000A957B
              • VariantCopy.OLEAUT32(?,?), ref: 000A95BE
              • SafeArrayUnaccessData.OLEAUT32(?), ref: 000A95D2
              • VariantClear.OLEAUT32(?), ref: 000A95E7
              • SafeArrayDestroyData.OLEAUT32(?), ref: 000A95F4
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000A95FD
              • VariantClear.OLEAUT32(?), ref: 000A960F
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000A961A
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
              • String ID:
              • API String ID: 2706829360-0
              • Opcode ID: 7049e00ed566351c973d8d412fdd4f19d78b94035fd96233c7add710090d5ba0
              • Instruction ID: a28f2a9825e5dee4dea76d26c3708ddf7b54cca9fc2ea762f43ec97fd30813de
              • Opcode Fuzzy Hash: 7049e00ed566351c973d8d412fdd4f19d78b94035fd96233c7add710090d5ba0
              • Instruction Fuzzy Hash: 1C414E31E00219AFDB01EFE4D8849EEBBB9FF09354F108066E541A7251DB35EA45DBA0
              Function 000CADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0007936C: __swprintf.LIBCMT ref: 000793AB
                • Part of subcall function 0007936C: __itow.LIBCMT ref: 000793DF
              • CoInitialize.OLE32 ref: 000CADF6
              • CoUninitialize.OLE32 ref: 000CAE01
              • CoCreateInstance.OLE32(?,00000000,00000017,000FD8FC,?), ref: 000CAE61
              • IIDFromString.OLE32(?,?), ref: 000CAED4
              • VariantInit.OLEAUT32(?), ref: 000CAF6E
              • VariantClear.OLEAUT32(?), ref: 000CAFCF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
              • API String ID: 834269672-1287834457
              • Opcode ID: 7b783b86006e56f17ff2d08538d23539d143896330fc68dee5f383bc27d23dab
              • Instruction ID: f796156e197e2af5614764f4d3f4a0db125fbefd71907ef997842b4e606ed5bc
              • Opcode Fuzzy Hash: 7b783b86006e56f17ff2d08538d23539d143896330fc68dee5f383bc27d23dab
              • Instruction Fuzzy Hash: 0E617870708215AFD720DF94D848FAEB7E8AF4A718F00441EF9859B292CB74ED45CB92
              Function 0008CB8D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 185windowCOMMON
              Download Yara Rule
              APIs
              • SetWindowLongW.USER32(?,000000EB), ref: 0008CC15
                • Part of subcall function 0008CCCD: GetClientRect.USER32(?,?), ref: 0008CCF6
                • Part of subcall function 0008CCCD: GetWindowRect.USER32(?,?), ref: 0008CD37
                • Part of subcall function 0008CCCD: ScreenToClient.USER32(?,?), ref: 0008CD5F
              • GetDC.USER32 ref: 000ED137
              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 000ED14A
              • SelectObject.GDI32(00000000,00000000), ref: 000ED158
              • SelectObject.GDI32(00000000,00000000), ref: 000ED16D
              • ReleaseDC.USER32(?,00000000), ref: 000ED175
              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000ED200
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
              • String ID: @U=u$U
              • API String ID: 4009187628-4110099822
              • Opcode ID: d9cd8e6da73a46fd49ac77978d076be257666be0021bb58670573945dfb046aa
              • Instruction ID: 47a36b3e2e18635a6f85a105c6032a99a0243e1dae4a1b3232557f4a25125095
              • Opcode Fuzzy Hash: d9cd8e6da73a46fd49ac77978d076be257666be0021bb58670573945dfb046aa
              • Instruction Fuzzy Hash: 4471D130500245EFDF619F65CC81AEA7BB6FF48310F18426BED956A2A6C7318881DF60
              Function 000C8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
              Download Yara Rule
              APIs
              • WSAStartup.WSOCK32(00000101,?), ref: 000C8168
              • inet_addr.WSOCK32(?,?,?), ref: 000C81AD
              • gethostbyname.WSOCK32(?), ref: 000C81B9
              • IcmpCreateFile.IPHLPAPI ref: 000C81C7
              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 000C8237
              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 000C824D
              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 000C82C2
              • WSACleanup.WSOCK32 ref: 000C82C8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
              • String ID: Ping
              • API String ID: 1028309954-2246546115
              • Opcode ID: 71dc6ec8c45cbb1871bdcf549aea35d66e3f6bc4326b3a85ff5163081e593dea
              • Instruction ID: 957d6e349b05cd69ee390372e9ea882755a0e5e762bb5e95e38b78022e9ee421
              • Opcode Fuzzy Hash: 71dc6ec8c45cbb1871bdcf549aea35d66e3f6bc4326b3a85ff5163081e593dea
              • Instruction Fuzzy Hash: 7A518D31604701AFD760AF64CC49F6EB7E5FF48310F04886AF99A9B2A1DB74E901DB45
              Function 000DECD4 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008B34E: GetWindowLongW.USER32(?,000000EB), ref: 0008B35F
                • Part of subcall function 0008B63C: GetCursorPos.USER32(000000FF), ref: 0008B64F
                • Part of subcall function 0008B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0008B66C
                • Part of subcall function 0008B63C: GetAsyncKeyState.USER32(00000001), ref: 0008B691
                • Part of subcall function 0008B63C: GetAsyncKeyState.USER32(00000002), ref: 0008B69F
              • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 000DED3C
              • ImageList_EndDrag.COMCTL32 ref: 000DED42
              • ReleaseCapture.USER32 ref: 000DED48
              • SetWindowTextW.USER32(?,00000000), ref: 000DEDF0
              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 000DEE03
              • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 000DEEDC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
              • String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u
              • API String ID: 1924731296-2104563098
              • Opcode ID: 00207de58e6b225b9da560ed21619c5d5c8609c0032e6cc058394f80f6b6d178
              • Instruction ID: b39d881df93c308c18b255364a68aaf0e3a7b63524c8aa4f0855f58ec8beda39
              • Opcode Fuzzy Hash: 00207de58e6b225b9da560ed21619c5d5c8609c0032e6cc058394f80f6b6d178
              • Instruction Fuzzy Hash: 9851AB70204300AFE710EF24DC96FAA77E5FB88714F40491EF595972E2DBB49954CB62
              Function 000BE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 000BE396
              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 000BE40C
              • GetLastError.KERNEL32 ref: 000BE416
              • SetErrorMode.KERNEL32(00000000,READY), ref: 000BE483
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Error$Mode$DiskFreeLastSpace
              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
              • API String ID: 4194297153-14809454
              • Opcode ID: 0d27f902f00de374a6781ae359d17d1b4e3e079d05b0a06abf22dbf409331535
              • Instruction ID: 76268059bde05ece7c2537d6caf571f2b2d9307829554636c5758887b90cc4ad
              • Opcode Fuzzy Hash: 0d27f902f00de374a6781ae359d17d1b4e3e079d05b0a06abf22dbf409331535
              • Instruction Fuzzy Hash: B3319235A00249AFDB11EFA4D845EFEB7F4EF44300F148066F506A7292DB74AE01CB91
              Function 000D8ECC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(00000000), ref: 000D8EE4
              • GetDC.USER32(00000000), ref: 000D8EEC
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 000D8EF7
              • ReleaseDC.USER32(00000000,00000000), ref: 000D8F03
              • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 000D8F3F
              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 000D8F50
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,000DBD19,?,?,000000FF,00000000,?,000000FF,?), ref: 000D8F8A
              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 000D8FAA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
              • String ID: @U=u
              • API String ID: 3864802216-2594219639
              • Opcode ID: bd7237e2688a3302988c012d6dd084dd0921c0ca6c7005e4af5e1c53e959781e
              • Instruction ID: 131a58fd2b31a2563e71771f7c8969eccad56938deb05e72e57886d3f706aedf
              • Opcode Fuzzy Hash: bd7237e2688a3302988c012d6dd084dd0921c0ca6c7005e4af5e1c53e959781e
              • Instruction Fuzzy Hash: D0314C72200214BFEB118F50CC4AFFA3BAEEF49755F044066FE09DA291DAB99841DB74
              Function 000CB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 000CB2D5
              • CoInitialize.OLE32(00000000), ref: 000CB302
              • CoUninitialize.OLE32 ref: 000CB30C
              • GetRunningObjectTable.OLE32(00000000,?), ref: 000CB40C
              • SetErrorMode.KERNEL32(00000001,00000029), ref: 000CB539
              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 000CB56D
              • CoGetObject.OLE32(?,00000000,000FD91C,?), ref: 000CB590
              • SetErrorMode.KERNEL32(00000000), ref: 000CB5A3
              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000CB623
              • VariantClear.OLEAUT32(000FD91C), ref: 000CB633
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
              • String ID:
              • API String ID: 2395222682-0
              • Opcode ID: b93bb3b5ecd5ad85cf2276b72aee83dd1c208073fb2e2ce58315f813b00a0340
              • Instruction ID: bb2ec0d0538084878015a17fcddb4122a4e6240cbcbdae4d3ca66e7860b84808
              • Opcode Fuzzy Hash: b93bb3b5ecd5ad85cf2276b72aee83dd1c208073fb2e2ce58315f813b00a0340
              • Instruction Fuzzy Hash: 37C111B1608305AFD700DF68C885E6EB7E9BF89344F00495DF58A9B252DB71ED06CB52
              Function 000B67E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
              Download Yara Rule
              APIs
              • __swprintf.LIBCMT ref: 000B67FD
              • __swprintf.LIBCMT ref: 000B680A
                • Part of subcall function 0009172B: __woutput_l.LIBCMT ref: 00091784
              • FindResourceW.KERNEL32(?,?,0000000E), ref: 000B6834
              • LoadResource.KERNEL32(?,00000000), ref: 000B6840
              • LockResource.KERNEL32(00000000), ref: 000B684D
              • FindResourceW.KERNEL32(?,?,00000003), ref: 000B686D
              • LoadResource.KERNEL32(?,00000000), ref: 000B687F
              • SizeofResource.KERNEL32(?,00000000), ref: 000B688E
              • LockResource.KERNEL32(?), ref: 000B689A
              • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 000B68F9
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
              • String ID:
              • API String ID: 1433390588-0
              • Opcode ID: c9107483056d526cfc5dda0a4697ac52be3d2381f9d81fded4a8883b5d438a48
              • Instruction ID: 54c09a957f1d3aa2c39b7b83770b9e6d4ca1a945e68b19d80e0234e463e2d353
              • Opcode Fuzzy Hash: c9107483056d526cfc5dda0a4697ac52be3d2381f9d81fded4a8883b5d438a48
              • Instruction Fuzzy Hash: F631A371A0021AABEB119F60DD55EFF7BA9FF08341F004526F915D2150EB39D951EBB0
              Function 000B4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 000B4047
              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,000B30A5,?,00000001), ref: 000B405B
              • GetWindowThreadProcessId.USER32(00000000), ref: 000B4062
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000B30A5,?,00000001), ref: 000B4071
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 000B4083
              • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,000B30A5,?,00000001), ref: 000B409C
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000B30A5,?,00000001), ref: 000B40AE
              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,000B30A5,?,00000001), ref: 000B40F3
              • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,000B30A5,?,00000001), ref: 000B4108
              • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,000B30A5,?,00000001), ref: 000B4113
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
              • String ID:
              • API String ID: 2156557900-0
              • Opcode ID: bbdd15180b78fc94b304e9ee9d0c39f716da131925f667db4f0ba0eb47b2c8f2
              • Instruction ID: 1683a68ae2ea2cb7b11be44130843ff5b4718693ba616f10b992e94e2a0318ec
              • Opcode Fuzzy Hash: bbdd15180b78fc94b304e9ee9d0c39f716da131925f667db4f0ba0eb47b2c8f2
              • Instruction Fuzzy Hash: F4319171900204AFEB20DF58DC85BB977EAFB54311F108407FA14E6691DBB89E80CB64
              Function 000E0133 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 245windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008B34E: GetWindowLongW.USER32(?,000000EB), ref: 0008B35F
              • GetSystemMetrics.USER32(0000000F), ref: 000E016D
              • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 000E038D
              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 000E03AB
              • InvalidateRect.USER32(?,00000000,00000001,?), ref: 000E03D6
              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 000E03FF
              • ShowWindow.USER32(00000003,00000000), ref: 000E0421
              • DefDlgProcW.USER32(?,00000005,?,?), ref: 000E0440
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
              • String ID: @U=u
              • API String ID: 3356174886-2594219639
              • Opcode ID: af30a3308580f613a5dd62f975cdc9c3dade0e571f3d085acab3d87f9d706aef
              • Instruction ID: b584e1697e06c5f8260c702f7e688eb56c75e107c74ac8fede979846e9cb5aa4
              • Opcode Fuzzy Hash: af30a3308580f613a5dd62f975cdc9c3dade0e571f3d085acab3d87f9d706aef
              • Instruction Fuzzy Hash: 68A1AC75600656EFDB18CF79C9897BDBBF6BF08700F048119E954AB290D7B4AE90CB90
              Function 000ACB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
              Download Yara Rule
              APIs
              • EnumChildWindows.USER32(?,000ACF50), ref: 000ACE90
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ChildEnumWindows
              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
              • API String ID: 3555792229-1603158881
              • Opcode ID: 246e28be2094609661eddcee7c21fe9cb2f85d94e29422f1781f06414db83640
              • Instruction ID: 257e3980b0fc910e3199c5238ee91f10fbc1c20da278a5f87510100223e44b0c
              • Opcode Fuzzy Hash: 246e28be2094609661eddcee7c21fe9cb2f85d94e29422f1781f06414db83640
              • Instruction Fuzzy Hash: E791B230A00546AAEF58EFA0C481FEEFBB5BF05300F558519E95AA7142DF30695ADBE0
              Function 00073093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
              Download Yara Rule
              APIs
              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 000730DC
              • CoUninitialize.OLE32(?,00000000), ref: 00073181
              • UnregisterHotKey.USER32(?), ref: 000732A9
              • DestroyWindow.USER32(?), ref: 000E5079
              • FreeLibrary.KERNEL32(?), ref: 000E50F8
              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 000E5125
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
              • String ID: close all
              • API String ID: 469580280-3243417748
              • Opcode ID: a37ccd4a2288169e60e19b65a53d58730dd13ad74c9745a0c3a66ca2a7283fd3
              • Instruction ID: 37e0c35ce40ee909805caaef1330cf6d9ca14c9e44e3a8fc6118bcb2588324e3
              • Opcode Fuzzy Hash: a37ccd4a2288169e60e19b65a53d58730dd13ad74c9745a0c3a66ca2a7283fd3
              • Instruction Fuzzy Hash: 3E914C70A002428FD719EF24C895FA8F3A4FF05305F5581A9E50AA7263DF38AE56DF58
              Function 000D9A75 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 142windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 000D9B19
              • SendMessageW.USER32(?,00001036,00000000,?), ref: 000D9B2D
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 000D9B47
              • _wcscat.LIBCMT ref: 000D9BA2
              • SendMessageW.USER32(?,00001057,00000000,?), ref: 000D9BB9
              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 000D9BE7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend$Window_wcscat
              • String ID: @U=u$SysListView32
              • API String ID: 307300125-1908207174
              • Opcode ID: 8b246f6d7bdc8103555f69810f2c82b50da45f06e7e2a4a555f4e7c9be2761aa
              • Instruction ID: d0ede509e711ba314ef6d19222dfb2e57e459bed458cea069e7bc564c27218a7
              • Opcode Fuzzy Hash: 8b246f6d7bdc8103555f69810f2c82b50da45f06e7e2a4a555f4e7c9be2761aa
              • Instruction Fuzzy Hash: C141A171A00308ABEB219FA8DC85BEE77E9EF08354F10042BF549E7292D7759D84DB60
              Function 000C45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
              Download Yara Rule
              APIs
              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000C45FF
              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 000C462B
              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 000C466D
              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 000C4682
              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000C468F
              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 000C46BF
              • InternetCloseHandle.WININET(00000000), ref: 000C4706
                • Part of subcall function 000C5052: GetLastError.KERNEL32(?,?,000C43CC,00000000,00000000,00000001), ref: 000C5067
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
              • String ID:
              • API String ID: 1241431887-3916222277
              • Opcode ID: f1bc02330bdd1675789329dc11821143e030ef27390a47e9e64d177cef2f4f80
              • Instruction ID: 26a264c8e884507689d819ea2ae8e55b2e13c4bc2a875b12c8e77b31ebe30adf
              • Opcode Fuzzy Hash: f1bc02330bdd1675789329dc11821143e030ef27390a47e9e64d177cef2f4f80
              • Instruction Fuzzy Hash: 2A419CB1500209BFEB129F90CC99FFF7BACFF09314F10411AFA019A185E7B49A449BA5
              Function 000D8FC8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 000D8FE7
              • GetWindowLongW.USER32(0102F940,000000F0), ref: 000D901A
              • GetWindowLongW.USER32(0102F940,000000F0), ref: 000D904F
              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 000D9081
              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 000D90AB
              • GetWindowLongW.USER32(00000000,000000F0), ref: 000D90BC
              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 000D90D6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: LongWindow$MessageSend
              • String ID: @U=u
              • API String ID: 2178440468-2594219639
              • Opcode ID: 4e6e4e284a610436b56d3a99e2d897d3ef9cdd7f76863d08f093dd97e0c82c50
              • Instruction ID: 513987bec4cf2f3ed783af4dc64c8ae1365dcc0df328d20db7d2c969da8efce0
              • Opcode Fuzzy Hash: 4e6e4e284a610436b56d3a99e2d897d3ef9cdd7f76863d08f093dd97e0c82c50
              • Instruction Fuzzy Hash: F3313975600215EFEB20CF98EC85FA43BE6FB4A714F144166F619CB6B1CBB1A840DB61
              Function 000CB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0010DC00), ref: 000CB715
              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0010DC00), ref: 000CB749
              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 000CB8C1
              • SysFreeString.OLEAUT32(?), ref: 000CB8EB
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Free$FileLibraryModuleNamePathQueryStringType
              • String ID:
              • API String ID: 560350794-0
              • Opcode ID: 46b7c31c3e0c39ffd13b79d3cb3d860a5d463d9d7a4dc9309eed5b1fae7971ae
              • Instruction ID: a5c50901d810273ab4399e34ed9a79e792650a9f1ad7846632d0d1543f00a7c0
              • Opcode Fuzzy Hash: 46b7c31c3e0c39ffd13b79d3cb3d860a5d463d9d7a4dc9309eed5b1fae7971ae
              • Instruction Fuzzy Hash: F0F14B71A00209EFDF14DF94C889EAEB7BAFF49311F108499F945AB251DB31AE45CB50
              Function 000D24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000D24F5
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000D2688
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000D26AC
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000D26EC
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000D270E
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000D286F
              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 000D28A1
              • CloseHandle.KERNEL32(?), ref: 000D28D0
              • CloseHandle.KERNEL32(?), ref: 000D2947
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
              • String ID:
              • API String ID: 4090791747-0
              • Opcode ID: 3dd6e373c79474a7d35a21196ff76befaf2005283a30748cb97369bb86435f13
              • Instruction ID: 8222fe16826a7c1a66625566254fa8ad6aecc9bb9c2b317193caedb75563b489
              • Opcode Fuzzy Hash: 3dd6e373c79474a7d35a21196ff76befaf2005283a30748cb97369bb86435f13
              • Instruction Fuzzy Hash: 7AD18C31604301DFDB14EF24D891AAABBE1BF94310F14856EF9899B3A2DB31DD41CB66
              Function 000B7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000B6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000B5FA6,?), ref: 000B6ED8
                • Part of subcall function 000B6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000B5FA6,?), ref: 000B6EF1
                • Part of subcall function 000B72CB: GetFileAttributesW.KERNEL32(?,000B6019), ref: 000B72CC
              • lstrcmpiW.KERNEL32(?,?), ref: 000B75CA
              • _wcscmp.LIBCMT ref: 000B75E2
              • MoveFileW.KERNEL32(?,?), ref: 000B75FB
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
              • String ID:
              • API String ID: 793581249-0
              • Opcode ID: 05243152eb1ffe80f7b637d3063de428111fa563c3979374efdfd56aa5694512
              • Instruction ID: ad05fe56f3e01c039a9a413c59e85e54dd12f2578ed1d650513b4eb8bc5d6c7e
              • Opcode Fuzzy Hash: 05243152eb1ffe80f7b637d3063de428111fa563c3979374efdfd56aa5694512
              • Instruction Fuzzy Hash: 645120B2A092199EDF64EB94D881DDE73BC9F48310F0040AAFA09E3542EA74D7C5CF64
              Function 0008EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,000EDAD1,00000004,00000000,00000000), ref: 0008EAEB
              • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,000EDAD1,00000004,00000000,00000000), ref: 0008EB32
              • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,000EDAD1,00000004,00000000,00000000), ref: 000EDC86
              • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,000EDAD1,00000004,00000000,00000000), ref: 000EDCF2
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ShowWindow
              • String ID:
              • API String ID: 1268545403-0
              • Opcode ID: 1a8e519e31b1dc002ae6a291118faafe43dded447e5da49a404c4b2a5c1caa76
              • Instruction ID: 6e8850e4edf29c88ce425dca9bac7da40425e863841cf6f350d537be7b080fb7
              • Opcode Fuzzy Hash: 1a8e519e31b1dc002ae6a291118faafe43dded447e5da49a404c4b2a5c1caa76
              • Instruction Fuzzy Hash: 3141E570208AC1AFD7B96B29CD8DA7F7AD6FB41314F29041AE0C7969A1D774B880D711
              Function 000AB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,000AAEF1,00000B00,?,?), ref: 000AB26C
              • HeapAlloc.KERNEL32(00000000,?,000AAEF1,00000B00,?,?), ref: 000AB273
              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,000AAEF1,00000B00,?,?), ref: 000AB288
              • GetCurrentProcess.KERNEL32(?,00000000,?,000AAEF1,00000B00,?,?), ref: 000AB290
              • DuplicateHandle.KERNEL32(00000000,?,000AAEF1,00000B00,?,?), ref: 000AB293
              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,000AAEF1,00000B00,?,?), ref: 000AB2A3
              • GetCurrentProcess.KERNEL32(000AAEF1,00000000,?,000AAEF1,00000B00,?,?), ref: 000AB2AB
              • DuplicateHandle.KERNEL32(00000000,?,000AAEF1,00000B00,?,?), ref: 000AB2AE
              • CreateThread.KERNEL32(00000000,00000000,000AB2D4,00000000,00000000,00000000), ref: 000AB2C8
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
              • String ID:
              • API String ID: 1957940570-0
              • Opcode ID: 2d2ff65e9f1826a0869599ec7aaf86775830d024d4f4cc88ba098eb047e68f85
              • Instruction ID: 573b3c47dd5487525d4cad11644eb5bda52375b6d8b3e0c3307919874ebac4c3
              • Opcode Fuzzy Hash: 2d2ff65e9f1826a0869599ec7aaf86775830d024d4f4cc88ba098eb047e68f85
              • Instruction Fuzzy Hash: 9801B6B5240308BFF710ABA5DC49F6B7BADEB89711F018412FB05DB5A1CA799900DB61
              Function 000CC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID:
              • String ID: NULL Pointer assignment$Not an Object type
              • API String ID: 0-572801152
              • Opcode ID: c2aaf9468bd7e6ba91b55452daaa170e0dc920a380a2ade41c417667e2a19f54
              • Instruction ID: 400054e22239ec64c73e24cab1f5b0baf91b30813297b5bd8394a240eb89a4ee
              • Opcode Fuzzy Hash: c2aaf9468bd7e6ba91b55452daaa170e0dc920a380a2ade41c417667e2a19f54
              • Instruction Fuzzy Hash: 6DE18E71A00219ABEF14DFA8C985FEE77F5EB48314F14816DE909AB281D770AD45CB90
              Function 000CBB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Variant$ClearInit$_memset
              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
              • API String ID: 2862541840-625585964
              • Opcode ID: 0f3730e28f20405f22313bc8daedb3e095c860b57157b05c6e88e3ed40c4b03f
              • Instruction ID: e651168003db64159536ec1eb5bef2acebc4771e0e6844ee56accaa4b7b5d4d7
              • Opcode Fuzzy Hash: 0f3730e28f20405f22313bc8daedb3e095c860b57157b05c6e88e3ed40c4b03f
              • Instruction Fuzzy Hash: AC918E71A00219ABDF24DFA5D885FEEBBB8EF45710F10855EF516AB281DB709940CFA0
              Function 000D172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000B6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 000B6554
                • Part of subcall function 000B6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 000B6564
                • Part of subcall function 000B6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 000B65F9
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 000D179A
              • GetLastError.KERNEL32 ref: 000D17AD
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 000D17D9
              • TerminateProcess.KERNEL32(00000000,00000000), ref: 000D1855
              • GetLastError.KERNEL32(00000000), ref: 000D1860
              • CloseHandle.KERNEL32(00000000), ref: 000D1895
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
              • String ID: SeDebugPrivilege
              • API String ID: 2533919879-2896544425
              • Opcode ID: f49db1b187b53ba4d548539b9926ed17094bd9bff8892486cc856ccf9438cbc6
              • Instruction ID: fed5bf7e16562ba1c15a9d6782a3eed2503073185dff7e028ec42af26977af77
              • Opcode Fuzzy Hash: f49db1b187b53ba4d548539b9926ed17094bd9bff8892486cc856ccf9438cbc6
              • Instruction Fuzzy Hash: 49416C71600201AFEB15EF94C895FFEB7A6AF54310F04809AF9069B393DF799900DB61
              Function 000DE397 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108windowCOMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(00131628,00000000,00131628,00000000,00000000,00131628,?,000EDC5D,00000000,?,00000000,00000000,00000000,?,000EDAD1,00000004), ref: 000DE40B
              • EnableWindow.USER32(00000000,00000000), ref: 000DE42F
              • ShowWindow.USER32(00131628,00000000), ref: 000DE48F
              • ShowWindow.USER32(00000000,00000004), ref: 000DE4A1
              • EnableWindow.USER32(00000000,00000001), ref: 000DE4C5
              • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 000DE4E8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$Show$Enable$MessageSend
              • String ID: @U=u
              • API String ID: 642888154-2594219639
              • Opcode ID: bfd37f01ad2e06cb9cfe53444a2d0798a90b7a661ac11c7bb4c3c04c0669b5ba
              • Instruction ID: c524f66f3c6efad8c8d1864e7b24394e6986434c9eb5e1b562be2e36f39d481b
              • Opcode Fuzzy Hash: bfd37f01ad2e06cb9cfe53444a2d0798a90b7a661ac11c7bb4c3c04c0669b5ba
              • Instruction Fuzzy Hash: 2D417430601280EFDB61DF24C499B947BF1BF05304F1881BAEA588F3A2C775E851DB61
              Function 000B5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00000000,00007F03), ref: 000B58B8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: IconLoad
              • String ID: blank$info$question$stop$warning
              • API String ID: 2457776203-404129466
              • Opcode ID: f95aa8886c2c2aca703244f001ef10e9ba46c580d80368af74d76a419a1f2369
              • Instruction ID: d5313dc5c5b0982733b7bdd54cc08a9a0df9153cd9ce2c2317a685cc870451c3
              • Opcode Fuzzy Hash: f95aa8886c2c2aca703244f001ef10e9ba46c580d80368af74d76a419a1f2369
              • Instruction Fuzzy Hash: 3411E731709756BEEB115B54AC92EEE33ED9F25320B20007AF514B66C2FBA4AB405664
              Function 000BA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
              Download Yara Rule
              APIs
              • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 000BA806
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ArraySafeVartype
              • String ID:
              • API String ID: 1725837607-0
              • Opcode ID: bcc648727daa824542a3d0ab660614a0d2e80ac34ec98025dae3a4adc14f58b8
              • Instruction ID: 1cd895333a5df35474ca0ccafbfc9d848cf0c88497e4e95a090eeed31e33b1aa
              • Opcode Fuzzy Hash: bcc648727daa824542a3d0ab660614a0d2e80ac34ec98025dae3a4adc14f58b8
              • Instruction Fuzzy Hash: E1C16B75A0421ADFDB14DF98C481BEEB7F4FF0A315F20406AE645E7241DB35AA41CBA2
              Function 000B6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 000B6B63
              • LoadStringW.USER32(00000000), ref: 000B6B6A
              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 000B6B80
              • LoadStringW.USER32(00000000), ref: 000B6B87
              • _wprintf.LIBCMT ref: 000B6BAD
              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 000B6BCB
              Strings
              • %s (%d) : ==> %s: %s %s, xrefs: 000B6BA8
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: HandleLoadModuleString$Message_wprintf
              • String ID: %s (%d) : ==> %s: %s %s
              • API String ID: 3648134473-3128320259
              • Opcode ID: 69b61100a82ea6cdc6f6445a0b6d9d2ba82ff29415b80a8a50e0188e230f2454
              • Instruction ID: 65a62bed11074056f89c4e6d8eccfa0010fb9698aab044b9492c29a255175443
              • Opcode Fuzzy Hash: 69b61100a82ea6cdc6f6445a0b6d9d2ba82ff29415b80a8a50e0188e230f2454
              • Instruction Fuzzy Hash: 890136F65002187FFB11A7949D89EFB776CE704304F0044A6B745E2441EA789E849F74
              Function 000D2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000D3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000D2BB5,?,?), ref: 000D3C1D
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000D2BF6
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: BuffCharConnectRegistryUpper
              • String ID:
              • API String ID: 2595220575-0
              • Opcode ID: 3f820c03953719c098342e0e026d9533ffd2a0f05e8ea5dce24e97d30170a18b
              • Instruction ID: 3110fd6b68ceae181c60d596dd0747fb68382de35226a16106c6816677758378
              • Opcode Fuzzy Hash: 3f820c03953719c098342e0e026d9533ffd2a0f05e8ea5dce24e97d30170a18b
              • Instruction Fuzzy Hash: 71917A716043019FD714EF14C885BAEB7E6FF98310F04885EF99A9B292DB34E905DB52
              Function 000C95BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
              Download Yara Rule
              APIs
              • select.WSOCK32 ref: 000C9691
              • WSAGetLastError.WSOCK32(00000000), ref: 000C969E
              • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 000C96C8
              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 000C96E9
              • WSAGetLastError.WSOCK32(00000000), ref: 000C96F8
              • htons.WSOCK32(?,?,?,00000000,?), ref: 000C97AA
              • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0010DC00), ref: 000C9765
                • Part of subcall function 000AD2FF: _strlen.LIBCMT ref: 000AD309
              • _strlen.LIBCMT ref: 000C9800
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ErrorLast_strlen$htonsinet_ntoaselect
              • String ID:
              • API String ID: 3480843537-0
              • Opcode ID: 6f48c8870fe1a13165862c291e21415826e9c1eebd32a03c5726ff2e4fee6d02
              • Instruction ID: 3f5cccfe8f3114ecb7e38eabecb2c4bee2a36c0a7d6aecbd126d08b91b78ff6a
              • Opcode Fuzzy Hash: 6f48c8870fe1a13165862c291e21415826e9c1eebd32a03c5726ff2e4fee6d02
              • Instruction Fuzzy Hash: FC81DF31508200ABD714EF64CC89FAFBBE9EF85714F10861DF5599B292EB30D905CB96
              Function 0009A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __mtinitlocknum.LIBCMT ref: 0009A991
                • Part of subcall function 00097D7C: __FF_MSGBANNER.LIBCMT ref: 00097D91
                • Part of subcall function 00097D7C: __NMSG_WRITE.LIBCMT ref: 00097D98
                • Part of subcall function 00097D7C: __malloc_crt.LIBCMT ref: 00097DB8
              • __lock.LIBCMT ref: 0009A9A4
              • __lock.LIBCMT ref: 0009A9F0
              • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00126DE0,00000018,000A5E7B,?,00000000,00000109), ref: 0009AA0C
              • EnterCriticalSection.KERNEL32(8000000C,00126DE0,00000018,000A5E7B,?,00000000,00000109), ref: 0009AA29
              • LeaveCriticalSection.KERNEL32(8000000C), ref: 0009AA39
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
              • String ID:
              • API String ID: 1422805418-0
              • Opcode ID: 9693284cb9ae00a30c5adc8a4366eb3bbdf15607cf85d5413cabf4613e986302
              • Instruction ID: 8ccac1ebc17caa86d8da6f08ab66f43f1e7e8c15f8b9b27a943a55205acb9fe3
              • Opcode Fuzzy Hash: 9693284cb9ae00a30c5adc8a4366eb3bbdf15607cf85d5413cabf4613e986302
              • Instruction Fuzzy Hash: C2411771B002059BEF24DF68DA4479CB7F0AF06339F158219E429AB6D2DB749940EBD2
              Function 000C16DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0007936C: __swprintf.LIBCMT ref: 000793AB
                • Part of subcall function 0007936C: __itow.LIBCMT ref: 000793DF
                • Part of subcall function 0008C6F4: _wcscpy.LIBCMT ref: 0008C717
              • _wcstok.LIBCMT ref: 000C184E
              • _wcscpy.LIBCMT ref: 000C18DD
              • _memset.LIBCMT ref: 000C1910
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
              • String ID: X
              • API String ID: 774024439-3081909835
              • Opcode ID: c40b0dd4a77f412492942336394f2faf65ea86554d979eade4c65eb5ae68f2c5
              • Instruction ID: 171dd28f52f19d9239f77654aafa3dd3d0bee61eec16350ffc9401743afcce98
              • Opcode Fuzzy Hash: c40b0dd4a77f412492942336394f2faf65ea86554d979eade4c65eb5ae68f2c5
              • Instruction Fuzzy Hash: 62C14A719083409FD764EF24C941E9EB7E4AF86350F04892DF89A972A3DB74ED05CB86
              Function 0008AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09d69e80a5e1f608bd510ad0423efd1020ec13d83c848d7e597ffb6c025cd21b
              • Instruction ID: 6a22360e5d3050d5c669187b7519958441b87e6f9030a3e87858a9ad18ce729f
              • Opcode Fuzzy Hash: 09d69e80a5e1f608bd510ad0423efd1020ec13d83c848d7e597ffb6c025cd21b
              • Instruction Fuzzy Hash: 0E717E70A00509EFDB14DF98CC48ABEBBB5FF86314F24815AFA55A6252C734AA01CF61
              Function 000D2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000D225A
              • _memset.LIBCMT ref: 000D2323
              • ShellExecuteExW.SHELL32(?), ref: 000D2368
                • Part of subcall function 0007936C: __swprintf.LIBCMT ref: 000793AB
                • Part of subcall function 0007936C: __itow.LIBCMT ref: 000793DF
                • Part of subcall function 0008C6F4: _wcscpy.LIBCMT ref: 0008C717
              • CloseHandle.KERNEL32(00000000), ref: 000D242F
              • FreeLibrary.KERNEL32(00000000), ref: 000D243E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
              • String ID: @
              • API String ID: 4082843840-2766056989
              • Opcode ID: b3f21dcf091875c48bf178ac0f1e63acd9424c9e3c0eb380a3f6da7f9b55589c
              • Instruction ID: 64f2a43b8ada88ff7d4de57b2326c03c1f6fe79d847cf3a00555f1325a437881
              • Opcode Fuzzy Hash: b3f21dcf091875c48bf178ac0f1e63acd9424c9e3c0eb380a3f6da7f9b55589c
              • Instruction Fuzzy Hash: A5718E70A00619DFCF04EFA4C8859AEB7F5FF58310F10845AE859AB352CB34AE41CBA4
              Function 000DE062 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 000DE1D5
              • SendMessageW.USER32(?,000000B0,?,?), ref: 000DE20D
              • IsDlgButtonChecked.USER32(?,00000001), ref: 000DE248
              • GetWindowLongW.USER32(?,000000EC), ref: 000DE269
              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 000DE281
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend$ButtonCheckedLongWindow
              • String ID: @U=u
              • API String ID: 3188977179-2594219639
              • Opcode ID: 090c5af4ec7232b11fc0c06e3a12bc7420e9fb55b6447600c779b1827f5a71d1
              • Instruction ID: 2fae7248f08cd936455eadb517b6fb46d1cee1daf3dffe646b722474a2cd100b
              • Opcode Fuzzy Hash: 090c5af4ec7232b11fc0c06e3a12bc7420e9fb55b6447600c779b1827f5a71d1
              • Instruction Fuzzy Hash: 0B618078B00384AFDB25EF54C855FEA7BFAAF4A300F14405AF9599B391C770A941CB20
              Function 000B3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(00000000), ref: 000B3C02
              • GetKeyboardState.USER32(?), ref: 000B3C17
              • SetKeyboardState.USER32(?), ref: 000B3C78
              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 000B3CA4
              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 000B3CC1
              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 000B3D05
              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 000B3D26
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: 9176420933809cecf747ee32254c005ad443f8baf6393082ab718fb9fc18260d
              • Instruction ID: 69f66549232294a8c619e7a72352377d17ecb9caff4761059a75f745842ca724
              • Opcode Fuzzy Hash: 9176420933809cecf747ee32254c005ad443f8baf6393082ab718fb9fc18260d
              • Instruction Fuzzy Hash: 565106A05087D53DFB3683748C56BFABFE96B06300F188589E1D55A8C3D794EE84E760
              Function 000DCCF7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID:
              • String ID: @U=u
              • API String ID: 0-2594219639
              • Opcode ID: b03d6a550437aa11bfca8df3ce943ee63a6d06fdd7f88880b83c2de784556be0
              • Instruction ID: a8397d56fbe959746c1299dccd329e98a94632036fb9eaf1fd05b7bd2d3a5f18
              • Opcode Fuzzy Hash: b03d6a550437aa11bfca8df3ce943ee63a6d06fdd7f88880b83c2de784556be0
              • Instruction Fuzzy Hash: 5E419679900306AFE760DF68CC44FA9BBAAEB09310F150267F959E73D1C774AD41DA60
              Function 000B08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000B08F2
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000B0918
              • SysAllocString.OLEAUT32(00000000), ref: 000B091B
              • SysAllocString.OLEAUT32(?), ref: 000B0939
              • SysFreeString.OLEAUT32(?), ref: 000B0942
              • StringFromGUID2.OLE32(?,?,00000028), ref: 000B0967
              • SysAllocString.OLEAUT32(?), ref: 000B0975
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
              • String ID:
              • API String ID: 3761583154-0
              • Opcode ID: dc4756bf7d1599c2c2dae8613787526528d6ebcd87fb19672dd99aa343f866b7
              • Instruction ID: c085fea16d23ad078572530ee2cde76afabdc3d1b3731acebaf8e76bd192f842
              • Opcode Fuzzy Hash: dc4756bf7d1599c2c2dae8613787526528d6ebcd87fb19672dd99aa343f866b7
              • Instruction Fuzzy Hash: FD217F76601219AFEB109BA8CC88DFF73ECEB09760B008126F955DB251D674ED45CB60
              Function 000AB80A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 93windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 000AB88E
              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 000AB8A1
              • SendMessageW.USER32(?,00000189,?,00000000), ref: 000AB8D1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: @U=u$ComboBox$ListBox
              • API String ID: 3850602802-2258501812
              • Opcode ID: e19652fec6764f5016d1ae2fb8c2c525aff23deb9799519d6ef0aff12304a4fb
              • Instruction ID: 2f4999aa11a4ee6e2d422d51c3ee45e06cdfa6630e5c1a3690eaa80004b68901
              • Opcode Fuzzy Hash: e19652fec6764f5016d1ae2fb8c2c525aff23deb9799519d6ef0aff12304a4fb
              • Instruction Fuzzy Hash: E921D271900108BFEB14ABB8D886DFE77B9EF06354B14412AF016A31E2DF784906DB60
              Function 000B2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
              • API String ID: 1038674560-2734436370
              • Opcode ID: e0e5b687ff59ca97d4d52b1a40accdd7f09ce8aa9a85e2e79de68837fbdff8a1
              • Instruction ID: 687c28a5e7810649c46bd9ebf5ec3b4f8059553048e59af928604a7ef6825aec
              • Opcode Fuzzy Hash: e0e5b687ff59ca97d4d52b1a40accdd7f09ce8aa9a85e2e79de68837fbdff8a1
              • Instruction Fuzzy Hash: F1214972204A117BD730BA749C12FFB73D9EF65300F504429F486A7582EBB59982D3A5
              Function 000B0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000B09CB
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000B09F1
              • SysAllocString.OLEAUT32(00000000), ref: 000B09F4
              • SysAllocString.OLEAUT32 ref: 000B0A15
              • SysFreeString.OLEAUT32 ref: 000B0A1E
              • StringFromGUID2.OLE32(?,?,00000028), ref: 000B0A38
              • SysAllocString.OLEAUT32(?), ref: 000B0A46
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
              • String ID:
              • API String ID: 3761583154-0
              • Opcode ID: f2fe488f3ad1d882ad6be79f3bc3acd1dfd1edc806bbdfd2f2ea75dfcfa5b442
              • Instruction ID: 2fc14dcd0c6853738227278ab7a30e21cc511c237ae7f9bf637db9d9d3414ad1
              • Opcode Fuzzy Hash: f2fe488f3ad1d882ad6be79f3bc3acd1dfd1edc806bbdfd2f2ea75dfcfa5b442
              • Instruction Fuzzy Hash: B5213275600204AFEB10DBA8DC89DBF77EDEF083607408526F949CB261E674ED41D765
              Function 000ADBBF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87windowCOMMON
              Download Yara Rule
              APIs
              • IsWindowVisible.USER32(?), ref: 000ADBD7
              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 000ADBF4
              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 000ADC2C
              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 000ADC52
              • _wcsstr.LIBCMT ref: 000ADC5C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
              • String ID: @U=u
              • API String ID: 3902887630-2594219639
              • Opcode ID: 11d97f63fb9cb6f0b86d82120ff3d86521240f030e0bce194aa07b60dfbaf408
              • Instruction ID: cd8c8c2a2ac84e21abd5fd99a55ecf4f76594ed6b5d91e865b11dc23c7dff61b
              • Opcode Fuzzy Hash: 11d97f63fb9cb6f0b86d82120ff3d86521240f030e0bce194aa07b60dfbaf408
              • Instruction Fuzzy Hash: E0212971204101BBEB255F799C49EBF7BA9EF46760F10403BF80ACA191EEA5DC01E760
              Function 000ABC77 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000ABC90
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000ABCC2
              • __itow.LIBCMT ref: 000ABCDA
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000ABD00
              • __itow.LIBCMT ref: 000ABD11
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend$__itow
              • String ID: @U=u
              • API String ID: 3379773720-2594219639
              • Opcode ID: 1149b9594d557b57eeff9d4a241e904e0a74305bb5db898aa5e9fe106b5e91d1
              • Instruction ID: 66659ee629237251f160125d1403a7d1932210556588dfeb982ec11c8ea2fa62
              • Opcode Fuzzy Hash: 1149b9594d557b57eeff9d4a241e904e0a74305bb5db898aa5e9fe106b5e91d1
              • Instruction Fuzzy Hash: EA21DB35B00718BBDB20AEA58C46FDE7BA9AF4B710F004025F905EB183EB74C90597A1
              Function 000DA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0008D1BA
                • Part of subcall function 0008D17C: GetStockObject.GDI32(00000011), ref: 0008D1CE
                • Part of subcall function 0008D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0008D1D8
              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 000DA32D
              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 000DA33A
              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 000DA345
              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 000DA354
              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 000DA360
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend$CreateObjectStockWindow
              • String ID: Msctls_Progress32
              • API String ID: 1025951953-3636473452
              • Opcode ID: 5731d9434157c6d2639a78234735e300bc19cd09ba82d97ff48f27d694750803
              • Instruction ID: 311054b9bbcd7053f21a0a8b29407a329f1e6d1f0a1714187074d031f49449cb
              • Opcode Fuzzy Hash: 5731d9434157c6d2639a78234735e300bc19cd09ba82d97ff48f27d694750803
              • Instruction Fuzzy Hash: 4511B6B1150219BEEF115F60CC85EEB7F6DFF09798F014115FA04A61A0C7729C21DBA4
              Function 0008CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
              Download Yara Rule
              APIs
              • GetClientRect.USER32(?,?), ref: 0008CCF6
              • GetWindowRect.USER32(?,?), ref: 0008CD37
              • ScreenToClient.USER32(?,?), ref: 0008CD5F
              • GetClientRect.USER32(?,?), ref: 0008CE8C
              • GetWindowRect.USER32(?,?), ref: 0008CEA5
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Rect$Client$Window$Screen
              • String ID:
              • API String ID: 1296646539-0
              • Opcode ID: 5a97a299829924b2fc05bce33a8db133213cf76f081d94e359e2c26b6fcc7ba6
              • Instruction ID: 4e765e1da0066c0ec24834e3e7111b71b247fb383bafeccebe30d066bc36ef40
              • Opcode Fuzzy Hash: 5a97a299829924b2fc05bce33a8db133213cf76f081d94e359e2c26b6fcc7ba6
              • Instruction Fuzzy Hash: 3DB14C79900689DBEB60DFA9C480BEDB7F1FF08310F149529EC99EB250DB30A950DB64
              Function 000D1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32 ref: 000D1C18
              • Process32FirstW.KERNEL32(00000000,?), ref: 000D1C26
              • __wsplitpath.LIBCMT ref: 000D1C54
                • Part of subcall function 00091DFC: __wsplitpath_helper.LIBCMT ref: 00091E3C
              • _wcscat.LIBCMT ref: 000D1C69
              • Process32NextW.KERNEL32(00000000,?), ref: 000D1CDF
              • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 000D1CF1
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
              • String ID:
              • API String ID: 1380811348-0
              • Opcode ID: e8128ab821b9affbfd928fe24ea92ea75d7ff5611bbba6674db1df5140c55663
              • Instruction ID: ca3c84dfb59ae393c4d2aeff322571548fcac415b38463e160f8dd7e06c311d9
              • Opcode Fuzzy Hash: e8128ab821b9affbfd928fe24ea92ea75d7ff5611bbba6674db1df5140c55663
              • Instruction Fuzzy Hash: FB516E71504340AFD720EF24D885EEBB7ECEF88754F00491EF58997252EB34AA05CBA6
              Function 000D2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000D3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000D2BB5,?,?), ref: 000D3C1D
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000D30AF
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000D30EF
              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 000D3112
              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 000D313B
              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 000D317E
              • RegCloseKey.ADVAPI32(00000000), ref: 000D318B
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
              • String ID:
              • API String ID: 3451389628-0
              • Opcode ID: 6812ade4dfb182c8acdf7030f368ccb4d6a62aa2012154b8aa62d908493bbb38
              • Instruction ID: 3ed0e4abb6710e9840fcd290e8311830efaaa192afde3959233ad0906aa5e021
              • Opcode Fuzzy Hash: 6812ade4dfb182c8acdf7030f368ccb4d6a62aa2012154b8aa62d908493bbb38
              • Instruction Fuzzy Hash: 0E515931508301AFD714EF64C895EAABBF9FF89300F04891EF58587292DB75EA05CB62
              Function 000D84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
              Download Yara Rule
              APIs
              • GetMenu.USER32(?), ref: 000D8540
              • GetMenuItemCount.USER32(00000000), ref: 000D8577
              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 000D859F
              • GetMenuItemID.USER32(?,?), ref: 000D860E
              • GetSubMenu.USER32(?,?), ref: 000D861C
              • PostMessageW.USER32(?,00000111,?,00000000), ref: 000D866D
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Menu$Item$CountMessagePostString
              • String ID:
              • API String ID: 650687236-0
              • Opcode ID: 186d777bc2083a782f583530b2c2eafe22e6fd87ad6fc8d6eb21608a4182cd40
              • Instruction ID: bdb9955422a54a317f2ac5d33b325031ce06cc860aeff4995f15e6887218537a
              • Opcode Fuzzy Hash: 186d777bc2083a782f583530b2c2eafe22e6fd87ad6fc8d6eb21608a4182cd40
              • Instruction Fuzzy Hash: B7518E75E00615AFDB11EF68C845AEEB7F5EF48310F1084AAE905BB351DB34AE41CBA4
              Function 000B4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000B4B10
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000B4B5B
              • IsMenu.USER32(00000000), ref: 000B4B7B
              • CreatePopupMenu.USER32 ref: 000B4BAF
              • GetMenuItemCount.USER32(000000FF), ref: 000B4C0D
              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 000B4C3E
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
              • String ID:
              • API String ID: 3311875123-0
              • Opcode ID: eaea1810d01a728feb3df09bce5065e24cf779e4fe3fec39817a6d3e996a1e66
              • Instruction ID: 98f524b5603110b36da1f580f09bcc5bed0998d504c915b8a03ab880133e3d90
              • Opcode Fuzzy Hash: eaea1810d01a728feb3df09bce5065e24cf779e4fe3fec39817a6d3e996a1e66
              • Instruction Fuzzy Hash: 1F51CD70601209EFDF60CF68D888BEDBFF5AF54718F14815AE5259B292E3B09A44CB52
              Function 000C8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
              Download Yara Rule
              APIs
              • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0010DC00), ref: 000C8E7C
              • WSAGetLastError.WSOCK32(00000000), ref: 000C8E89
              • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 000C8EAD
              • #16.WSOCK32(?,?,00000000,00000000), ref: 000C8EC5
              • _strlen.LIBCMT ref: 000C8EF7
              • WSAGetLastError.WSOCK32(00000000), ref: 000C8F6A
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ErrorLast$_strlenselect
              • String ID:
              • API String ID: 2217125717-0
              • Opcode ID: 8eede1eab7202ce1494a19f0ad1178d7efb9e929f03419c5474eeccb0ad5a78c
              • Instruction ID: 1f6b9f00fe0a7062a8499daeb6c59ffba2f03cbb4c700a5820188e9473de00e4
              • Opcode Fuzzy Hash: 8eede1eab7202ce1494a19f0ad1178d7efb9e929f03419c5474eeccb0ad5a78c
              • Instruction Fuzzy Hash: 9941A571900204ABDB14EBA4CD85FEEB7BAEF59310F10816DF51A97292DF34AE01CB64
              Function 0008ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008B34E: GetWindowLongW.USER32(?,000000EB), ref: 0008B35F
              • BeginPaint.USER32(?,?,?), ref: 0008AC2A
              • GetWindowRect.USER32(?,?), ref: 0008AC8E
              • ScreenToClient.USER32(?,?), ref: 0008ACAB
              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0008ACBC
              • EndPaint.USER32(?,?,?,?,?), ref: 0008AD06
              • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 000EE673
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
              • String ID:
              • API String ID: 2592858361-0
              • Opcode ID: 7eb84b361829de1f6e6c4e202849c8a27418750ffc688a0597073ba5899b647c
              • Instruction ID: f13b14712c9c42a42c79222bb57606ab6bd14cb720cc6fd9e123468dc8305ddd
              • Opcode Fuzzy Hash: 7eb84b361829de1f6e6c4e202849c8a27418750ffc688a0597073ba5899b647c
              • Instruction Fuzzy Hash: 3641E670200340AFD710EF54CC85FBA7BE9FB56360F04062AF9A4C76A2C775A884DB62
              Function 000B98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,000001F5), ref: 000B98D1
                • Part of subcall function 0008F4EA: std::exception::exception.LIBCMT ref: 0008F51E
                • Part of subcall function 0008F4EA: __CxxThrowException@8.LIBCMT ref: 0008F533
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 000B9908
              • EnterCriticalSection.KERNEL32(?), ref: 000B9924
              • LeaveCriticalSection.KERNEL32(?), ref: 000B999E
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 000B99B3
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 000B99D2
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
              • String ID:
              • API String ID: 2537439066-0
              • Opcode ID: f2352bc67602880f7f47ecccb38c2e557a5d4faaab9c5e6aa766f0f409643cc7
              • Instruction ID: d1ef7924346632a292486bd4f8f9e60b1b69b6fa574a6be8bf1d54a78dd7c9c0
              • Opcode Fuzzy Hash: f2352bc67602880f7f47ecccb38c2e557a5d4faaab9c5e6aa766f0f409643cc7
              • Instruction Fuzzy Hash: 99317031900105EBDB50EFA9DC85EAEBBB9FF45310B1480BAF904AB246D774DE11DBA0
              Function 000C9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(?,?,?,?,?,?,000C77F4,?,?,00000000,00000001), ref: 000C9B53
                • Part of subcall function 000C6544: GetWindowRect.USER32(?,?), ref: 000C6557
              • GetDesktopWindow.USER32 ref: 000C9B7D
              • GetWindowRect.USER32(00000000), ref: 000C9B84
              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 000C9BB6
                • Part of subcall function 000B7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000B7AD0
              • GetCursorPos.USER32(?), ref: 000C9BE2
              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 000C9C44
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
              • String ID:
              • API String ID: 4137160315-0
              • Opcode ID: fa70879e0b2abb8b484d0c117db0a49f860b8bbb59d96b76ce7530c89c6b9104
              • Instruction ID: 51d27faaf612c4fab07cdbe1a3df909f0a4b7fce12a615796f9cea2811917871
              • Opcode Fuzzy Hash: fa70879e0b2abb8b484d0c117db0a49f860b8bbb59d96b76ce7530c89c6b9104
              • Instruction Fuzzy Hash: 4931CF72104305ABD720DF14D849FAEB7EAFF88314F00091AF589E7182DB31EA08CB92
              Function 000AAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 000AAFAE
              • OpenProcessToken.ADVAPI32(00000000), ref: 000AAFB5
              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 000AAFC4
              • CloseHandle.KERNEL32(00000004), ref: 000AAFCF
              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000AAFFE
              • DestroyEnvironmentBlock.USERENV(00000000), ref: 000AB012
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
              • String ID:
              • API String ID: 1413079979-0
              • Opcode ID: 9c17bef3901f45ca270ac3fd0226416b7db0b4723cdc746002d38cd8c42eea07
              • Instruction ID: e04db7bc777335cfde37e14fb985d26f9ebc93687a3c56fae6cb17f340dd87ae
              • Opcode Fuzzy Hash: 9c17bef3901f45ca270ac3fd0226416b7db0b4723cdc746002d38cd8c42eea07
              • Instruction Fuzzy Hash: 46215072205209AFDF129FD4DD09FEE7BA9EF46314F044025FA01A61A1D3799D11EB61
              Function 000DEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0008AFE3
                • Part of subcall function 0008AF83: SelectObject.GDI32(?,00000000), ref: 0008AFF2
                • Part of subcall function 0008AF83: BeginPath.GDI32(?), ref: 0008B009
                • Part of subcall function 0008AF83: SelectObject.GDI32(?,00000000), ref: 0008B033
              • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 000DEC20
              • LineTo.GDI32(00000000,00000003,?), ref: 000DEC34
              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 000DEC42
              • LineTo.GDI32(00000000,00000000,?), ref: 000DEC52
              • EndPath.GDI32(00000000), ref: 000DEC62
              • StrokePath.GDI32(00000000), ref: 000DEC72
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
              • String ID:
              • API String ID: 43455801-0
              • Opcode ID: c6fd586e68aa9aa16beabd88aa38a4f953d6459d42b515dda0beb88f7810494b
              • Instruction ID: 11349b812ddb71860df55c5a909cb7cb4be0edd3ccc4d5abdbfbba10466a0e2e
              • Opcode Fuzzy Hash: c6fd586e68aa9aa16beabd88aa38a4f953d6459d42b515dda0beb88f7810494b
              • Instruction Fuzzy Hash: F5111B7200014DBFEF129F90DD88FEA7F6EEB08350F048122BE0889561D7719D55EBA0
              Function 000AE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(00000000), ref: 000AE1C0
              • GetDeviceCaps.GDI32(00000000,00000058), ref: 000AE1D1
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 000AE1D8
              • ReleaseDC.USER32(00000000,00000000), ref: 000AE1E0
              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 000AE1F7
              • MulDiv.KERNEL32(000009EC,?,?), ref: 000AE209
                • Part of subcall function 000A9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,000A9A05,00000000,00000000,?,000A9DDB), ref: 000AA53A
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CapsDevice$ExceptionRaiseRelease
              • String ID:
              • API String ID: 603618608-0
              • Opcode ID: 925df499624fbb7c3418837549d2c5214bab9d66fddc8f27bdaf2fa5bd4882fc
              • Instruction ID: 194d736391f28d8828ccc334c700f9f8b62e67da590e01fa5df367f74ea8913d
              • Opcode Fuzzy Hash: 925df499624fbb7c3418837549d2c5214bab9d66fddc8f27bdaf2fa5bd4882fc
              • Instruction Fuzzy Hash: D0018FB5A00214BFFB109BE6CC49B6EBFB9EB49751F004066EA04E7290DA709C01DBA0
              Function 00097B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
              Download Yara Rule
              APIs
              • __init_pointers.LIBCMT ref: 00097B47
                • Part of subcall function 0009123A: __initp_misc_winsig.LIBCMT ref: 0009125E
                • Part of subcall function 0009123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00097F51
                • Part of subcall function 0009123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00097F65
                • Part of subcall function 0009123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00097F78
                • Part of subcall function 0009123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00097F8B
                • Part of subcall function 0009123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00097F9E
                • Part of subcall function 0009123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00097FB1
                • Part of subcall function 0009123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00097FC4
                • Part of subcall function 0009123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00097FD7
                • Part of subcall function 0009123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00097FEA
                • Part of subcall function 0009123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00097FFD
                • Part of subcall function 0009123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00098010
                • Part of subcall function 0009123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00098023
                • Part of subcall function 0009123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00098036
                • Part of subcall function 0009123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00098049
                • Part of subcall function 0009123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0009805C
                • Part of subcall function 0009123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0009806F
              • __mtinitlocks.LIBCMT ref: 00097B4C
                • Part of subcall function 00097E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0012AC68,00000FA0,?,?,00097B51,00095E77,00126C70,00000014), ref: 00097E41
              • __mtterm.LIBCMT ref: 00097B55
                • Part of subcall function 00097BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00097B5A,00095E77,00126C70,00000014), ref: 00097D3F
                • Part of subcall function 00097BBD: _free.LIBCMT ref: 00097D46
                • Part of subcall function 00097BBD: DeleteCriticalSection.KERNEL32(0012AC68,?,?,00097B5A,00095E77,00126C70,00000014), ref: 00097D68
              • __calloc_crt.LIBCMT ref: 00097B7A
              • GetCurrentThreadId.KERNEL32 ref: 00097BA3
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
              • String ID:
              • API String ID: 2942034483-0
              • Opcode ID: 6e09dc545cc1d7bb0dd4be68be4d816e641f5428d504e80fda42fdc73e301e33
              • Instruction ID: 3a1e9cc9d21fce5cd451bc547a6ab7441c41bf06afc702cccc83c47b0dccd421
              • Opcode Fuzzy Hash: 6e09dc545cc1d7bb0dd4be68be4d816e641f5428d504e80fda42fdc73e301e33
              • Instruction Fuzzy Hash: BFF0623353D2121AEE6577347C0678A27C4AF02730B200699F86CC50D3FF2588526161
              Function 000727EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
              Download Yara Rule
              APIs
              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0007281D
              • MapVirtualKeyW.USER32(00000010,00000000), ref: 00072825
              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00072830
              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0007283B
              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00072843
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0007284B
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Virtual
              • String ID:
              • API String ID: 4278518827-0
              • Opcode ID: 3c4cac752b899312f7d77909910c9de2fdc185cea3a292ec507de3b00a94d202
              • Instruction ID: 35b88dd3f8310a897a8dcddc434fcffa48ef982dee83d7764fbff22a113d2636
              • Opcode Fuzzy Hash: 3c4cac752b899312f7d77909910c9de2fdc185cea3a292ec507de3b00a94d202
              • Instruction Fuzzy Hash: 7B0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C87A42C7F5A864CBE5
              Function 000B9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
              • String ID:
              • API String ID: 1423608774-0
              • Opcode ID: 376343db7ec31ae7ecba0944d8646100c103d72119ba984a642b44a56973b4a7
              • Instruction ID: 50e1b13cd4968868073ae5e8461c29388e6a3703690d53b683e25aa4628656a9
              • Opcode Fuzzy Hash: 376343db7ec31ae7ecba0944d8646100c103d72119ba984a642b44a56973b4a7
              • Instruction Fuzzy Hash: 2F01A432102211ABE7555B98FC48EFF77AAFF99701B14042BF603928A1DB789C00EBD1
              Function 000B7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 000B7C07
              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 000B7C1D
              • GetWindowThreadProcessId.USER32(?,?), ref: 000B7C2C
              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000B7C3B
              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000B7C45
              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000B7C4C
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
              • String ID:
              • API String ID: 839392675-0
              • Opcode ID: 3b0c3de2d8ef9041c5d2cd4951c4ad7e7b79fafe89106b647462f66326fff450
              • Instruction ID: 7effa32b47aee20983e1cca924441af984c46bb845b2373d87712a381114e185
              • Opcode Fuzzy Hash: 3b0c3de2d8ef9041c5d2cd4951c4ad7e7b79fafe89106b647462f66326fff450
              • Instruction Fuzzy Hash: 59F01772241158BBF7215B529C0EEEF7FBDEFC6B15F00001AFA01D1451DBA85A41E6B5
              Function 000B9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,?), ref: 000B9A33
              • EnterCriticalSection.KERNEL32(?,?,?,?,000E5DEE,?,?,?,?,?,0007ED63), ref: 000B9A44
              • TerminateThread.KERNEL32(?,000001F6,?,?,?,000E5DEE,?,?,?,?,?,0007ED63), ref: 000B9A51
              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,000E5DEE,?,?,?,?,?,0007ED63), ref: 000B9A5E
                • Part of subcall function 000B93D1: CloseHandle.KERNEL32(?,?,000B9A6B,?,?,?,000E5DEE,?,?,?,?,?,0007ED63), ref: 000B93DB
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 000B9A71
              • LeaveCriticalSection.KERNEL32(?,?,?,?,000E5DEE,?,?,?,?,?,0007ED63), ref: 000B9A78
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
              • String ID:
              • API String ID: 3495660284-0
              • Opcode ID: 9fc1af64b28e63813334cfbf632fc784919ef19cdb6e191d2d86d8ddd067857c
              • Instruction ID: fbd04046da12ec1433a456bf604ac83fc739e91b9071cdeeb3c212ec76e12b36
              • Opcode Fuzzy Hash: 9fc1af64b28e63813334cfbf632fc784919ef19cdb6e191d2d86d8ddd067857c
              • Instruction Fuzzy Hash: EEF05E32141211ABE7911BA8FC89EFE776AFF95701B180426F603918A1DB799901FB91
              Function 00071CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008F4EA: std::exception::exception.LIBCMT ref: 0008F51E
                • Part of subcall function 0008F4EA: __CxxThrowException@8.LIBCMT ref: 0008F533
              • __swprintf.LIBCMT ref: 00071EA6
              Strings
              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00071D49
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Exception@8Throw__swprintfstd::exception::exception
              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
              • API String ID: 2125237772-557222456
              • Opcode ID: f4a8738738d0648621707e716b97823c813c31b8ccfad11640992f187e3c001e
              • Instruction ID: 5b0000ee3f0564bae8ce731eea25549d0f2d0428d94ef7a4a99606bcccdd9fac
              • Opcode Fuzzy Hash: f4a8738738d0648621707e716b97823c813c31b8ccfad11640992f187e3c001e
              • Instruction Fuzzy Hash: CB9190719086419FD724EF24C885CAEB7F4BF85700F04891DF889A71A2DB35ED45CB96
              Function 000CAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 000CB006
              • CharUpperBuffW.USER32(?,?), ref: 000CB115
              • VariantClear.OLEAUT32(?), ref: 000CB298
                • Part of subcall function 000B9DC5: VariantInit.OLEAUT32(00000000), ref: 000B9E05
                • Part of subcall function 000B9DC5: VariantCopy.OLEAUT32(?,?), ref: 000B9E0E
                • Part of subcall function 000B9DC5: VariantClear.OLEAUT32(?), ref: 000B9E1A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Variant$ClearInit$BuffCharCopyUpper
              • String ID: AUTOIT.ERROR$Incorrect Parameter format
              • API String ID: 4237274167-1221869570
              • Opcode ID: 18d94b31f7b7a2d72f6497fbadbec228634148d7cd55cf070a1951d5c5be4a3b
              • Instruction ID: 71e05200f9d77d494168c099d1195ce1720380c0635a79438f29fb5d44f9365c
              • Opcode Fuzzy Hash: 18d94b31f7b7a2d72f6497fbadbec228634148d7cd55cf070a1951d5c5be4a3b
              • Instruction Fuzzy Hash: F5915C70A043019FCB10DF64D485EAEB7E4EF89704F14886EF89A9B352DB31E905CB52
              Function 000B5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008C6F4: _wcscpy.LIBCMT ref: 0008C717
              • _memset.LIBCMT ref: 000B5438
              • GetMenuItemInfoW.USER32(?), ref: 000B5467
              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000B5513
              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 000B553D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ItemMenu$Info$Default_memset_wcscpy
              • String ID: 0
              • API String ID: 4152858687-4108050209
              • Opcode ID: e8e639965bd9db49b3a156128a0edd5d91b629ff00f1343ecf7656eab0b3cefd
              • Instruction ID: 07d378d1dc7abc27bfd76f462aeacd046dd144697b6914fc6803d5fe5051e40b
              • Opcode Fuzzy Hash: e8e639965bd9db49b3a156128a0edd5d91b629ff00f1343ecf7656eab0b3cefd
              • Instruction Fuzzy Hash: A6512171504B019BD7A49B28CC417FBB7E8EF85716F0806AAF895D32D1EBA0CD40CB52
              Function 000DC4D7 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(010389A0,?), ref: 000DC544
              • ScreenToClient.USER32(?,00000002), ref: 000DC574
              • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 000DC5DA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$ClientMoveRectScreen
              • String ID: @U=u
              • API String ID: 3880355969-2594219639
              • Opcode ID: 48d72da45c570fb4ca89e3dd03d0e85a0766266053826f9960c5e312f87d3ae7
              • Instruction ID: 5748f4af3c7f81106b3543725d72b9678fdcd091dc1883450791c9f5817f4c7b
              • Opcode Fuzzy Hash: 48d72da45c570fb4ca89e3dd03d0e85a0766266053826f9960c5e312f87d3ae7
              • Instruction Fuzzy Hash: 6D515E75900605EFDF10DF68D881DAE7BB6EB45320F10825AF85597391D770ED81CBA0
              Function 000AC410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 000AC462
              • __itow.LIBCMT ref: 000AC49C
                • Part of subcall function 000AC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 000AC753
              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 000AC505
              • __itow.LIBCMT ref: 000AC55A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend$__itow
              • String ID: @U=u
              • API String ID: 3379773720-2594219639
              • Opcode ID: b8551415f797820737c07d22e91eadbcc1cd7d0feca9ec92418b7dc91a282e50
              • Instruction ID: 2c439b39ee48de9368ff8a0d174b3d61f9286623df207aac9c1991c9faa63b9d
              • Opcode Fuzzy Hash: b8551415f797820737c07d22e91eadbcc1cd7d0feca9ec92418b7dc91a282e50
              • Instruction Fuzzy Hash: 0141B971E00608AFEF25EFA4CC51FEE7BB5AF4A710F004019F509A7192DB74AA45CB55
              Function 000AC189 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000B430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000ABC08,?,?,00000034,00000800,?,00000034), ref: 000B4335
              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 000AC1D3
                • Part of subcall function 000B42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000ABC37,?,?,00000800,?,00001073,00000000,?,?), ref: 000B4300
                • Part of subcall function 000B422F: GetWindowThreadProcessId.USER32(?,?), ref: 000B425A
                • Part of subcall function 000B422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,000ABBCC,00000034,?,?,00001004,00000000,00000000), ref: 000B426A
                • Part of subcall function 000B422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,000ABBCC,00000034,?,?,00001004,00000000,00000000), ref: 000B4280
              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000AC240
              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000AC28D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
              • String ID: @$@U=u
              • API String ID: 4150878124-826235744
              • Opcode ID: f196f73bc5816fe7152da68269a588bbf5326e7cbbaccb17c0d99fa68b791466
              • Instruction ID: 5c671d3ea897458e9eefbc01d16763fbd0bcaabe1a9eecf12de73ec1df8be567
              • Opcode Fuzzy Hash: f196f73bc5816fe7152da68269a588bbf5326e7cbbaccb17c0d99fa68b791466
              • Instruction Fuzzy Hash: C4411672A00218AEDB11DBA4CD81FEEB7B8EB09700F144095FA45B7182DA75AF45DB61
              Function 000B0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
              Download Yara Rule
              APIs
              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000B027B
              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 000B02B1
              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 000B02C2
              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000B0344
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ErrorMode$AddressCreateInstanceProc
              • String ID: DllGetClassObject
              • API String ID: 753597075-1075368562
              • Opcode ID: 754e1e8475051cab60af5b642f51fe7a64bf67273f0e21992de2d7a5ddd5e391
              • Instruction ID: babe484011beca807fd901320cc6b5c69ad4933f22fbf4805637442bf818157a
              • Opcode Fuzzy Hash: 754e1e8475051cab60af5b642f51fe7a64bf67273f0e21992de2d7a5ddd5e391
              • Instruction Fuzzy Hash: 404149B1600204AFDB55CF64C898AEF7BF9FF44710B1480AAE9099F206D7B5DA44DBA0
              Function 000B5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000B5075
              • GetMenuItemInfoW.USER32 ref: 000B5091
              • DeleteMenu.USER32(00000004,00000007,00000000), ref: 000B50D7
              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00131708,00000000), ref: 000B5120
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Menu$Delete$InfoItem_memset
              • String ID: 0
              • API String ID: 1173514356-4108050209
              • Opcode ID: 591d61895797a2a73443d70ad0e056053480adff4687a25ae8ac665109362311
              • Instruction ID: 19f225187c4e8d366b500e3a0c9ee21bb399fe6b77d38289dc526812460bf295
              • Opcode Fuzzy Hash: 591d61895797a2a73443d70ad0e056053480adff4687a25ae8ac665109362311
              • Instruction Fuzzy Hash: D241D0702047019FD720DF28DC80BAABBE5AF89725F144A9EF995973D2D770E900CB62
              Function 000DB544 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000DB5D1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID: @U=u
              • API String ID: 634782764-2594219639
              • Opcode ID: d09542e39ee611185072bd3e2c193f16ea7f21cc6b78bb5dacf2c64cf481da49
              • Instruction ID: 1d6909c84ecc940a24961b0cffad8f5d1162f47a1f516ed70df9f024084c349e
              • Opcode Fuzzy Hash: d09542e39ee611185072bd3e2c193f16ea7f21cc6b78bb5dacf2c64cf481da49
              • Instruction Fuzzy Hash: BF31CB74600708FBEB309F59DC89FAC37A5AB06350F624103FA51D67E1CB38E9409B61
              Function 000D0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?,?,?), ref: 000D0587
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: BuffCharLower
              • String ID: cdecl$none$stdcall$winapi
              • API String ID: 2358735015-567219261
              • Opcode ID: cb4e21315d4af74fba507a1c6063f59dbd06214d0eb91da314e61f0e801ea12b
              • Instruction ID: d9ad3b6b342ac776766686c4c9ea939d745e77562d810046970bba047a7aca12
              • Opcode Fuzzy Hash: cb4e21315d4af74fba507a1c6063f59dbd06214d0eb91da314e61f0e801ea12b
              • Instruction Fuzzy Hash: 3A31A130900256AFCF10EF64C941AEEB3B5FF55314F00862AF86AA76D2DB75E916CB50
              Function 000C43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000C4401
              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000C4427
              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000C4457
              • InternetCloseHandle.WININET(00000000), ref: 000C449E
                • Part of subcall function 000C5052: GetLastError.KERNEL32(?,?,000C43CC,00000000,00000000,00000001), ref: 000C5067
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
              • String ID:
              • API String ID: 1951874230-3916222277
              • Opcode ID: 29549059ed78bd28e7d958173f4c236169329b8c259fe23e4c7660b2a7abc26a
              • Instruction ID: 79135bbf50bd01f6c13c9b740f6a4f121350ac60f30a3360ca35184e4de8ac16
              • Opcode Fuzzy Hash: 29549059ed78bd28e7d958173f4c236169329b8c259fe23e4c7660b2a7abc26a
              • Instruction Fuzzy Hash: A321BEB2600208BFE721AF54CC94FBFBAEDFB48758F20801EF109D6141EA649D05A770
              Function 000D90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0008D1BA
                • Part of subcall function 0008D17C: GetStockObject.GDI32(00000011), ref: 0008D1CE
                • Part of subcall function 0008D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0008D1D8
              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 000D915C
              • LoadLibraryW.KERNEL32(?), ref: 000D9163
              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 000D9178
              • DestroyWindow.USER32(?), ref: 000D9180
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
              • String ID: SysAnimate32
              • API String ID: 4146253029-1011021900
              • Opcode ID: 1b95a769810e0be65dc029a56a80ddfc6b6a4eae1534b4ec9b72c4b6b2cc4674
              • Instruction ID: 235d44a69f626e4735b8784df6cff8106f2b908dd3dc09899c31ee898ea66f73
              • Opcode Fuzzy Hash: 1b95a769810e0be65dc029a56a80ddfc6b6a4eae1534b4ec9b72c4b6b2cc4674
              • Instruction Fuzzy Hash: 14216A75200306BFEF204E64DC89EBA37EDEF99364F10461AFA54922A0D772DC52A770
              Function 000B9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(0000000C), ref: 000B9588
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000B95B9
              • GetStdHandle.KERNEL32(0000000C), ref: 000B95CB
              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 000B9605
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: 206afe355d4334cc0e569be00ab84c6dafcecdf3050c9258d35f9354399deb54
              • Instruction ID: e13454d5f4239f459c9e14f8798725be3beedf50b1d07bf70d296a8695bcf795
              • Opcode Fuzzy Hash: 206afe355d4334cc0e569be00ab84c6dafcecdf3050c9258d35f9354399deb54
              • Instruction Fuzzy Hash: 84219070640605ABEB319F25DC05EDE7BF8AF54720F204A19FAA1D72D0D770D940CB60
              Function 000B9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(000000F6), ref: 000B9653
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000B9683
              • GetStdHandle.KERNEL32(000000F6), ref: 000B9694
              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 000B96CE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: 391c8ebba8ded5cdf30a043e0ca38dc74dbf2e46bcc19d5842bb0d1fe74382f5
              • Instruction ID: 1e105c0686e2759f6c0f36fdd2ebedfdbc0aa67a7e716f4f5a2a79072d3dd13b
              • Opcode Fuzzy Hash: 391c8ebba8ded5cdf30a043e0ca38dc74dbf2e46bcc19d5842bb0d1fe74382f5
              • Instruction Fuzzy Hash: 1A218E71600205ABDB609F699C45EEEB7E8AF95734F200A19FAA1E72D0E770D841CB60
              Function 000BDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 000BDB0A
              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 000BDB5E
              • __swprintf.LIBCMT ref: 000BDB77
              • SetErrorMode.KERNEL32(00000000,00000001,00000000,0010DC00), ref: 000BDBB5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ErrorMode$InformationVolume__swprintf
              • String ID: %lu
              • API String ID: 3164766367-685833217
              • Opcode ID: 0778c1d71de2bd5b175b6ad6686a80830762947938ccebb4e0aa06ccca364d40
              • Instruction ID: 1d85bc9fd359fe4b1cee2f90c903bec9086a087ca751b8280ec4e2387eda9e4a
              • Opcode Fuzzy Hash: 0778c1d71de2bd5b175b6ad6686a80830762947938ccebb4e0aa06ccca364d40
              • Instruction Fuzzy Hash: 31219235A00109AFDB10EFA4DD85EEEBBB9EF49704B00406AF509E7252DB75EE01DB61
              Function 000AC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000AC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 000AC84A
                • Part of subcall function 000AC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000AC85D
                • Part of subcall function 000AC82D: GetCurrentThreadId.KERNEL32 ref: 000AC864
                • Part of subcall function 000AC82D: AttachThreadInput.USER32(00000000), ref: 000AC86B
              • GetFocus.USER32 ref: 000ACA05
                • Part of subcall function 000AC876: GetParent.USER32(?), ref: 000AC884
              • GetClassNameW.USER32(?,?,00000100), ref: 000ACA4E
              • EnumChildWindows.USER32(?,000ACAC4), ref: 000ACA76
              • __swprintf.LIBCMT ref: 000ACA90
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
              • String ID: %s%d
              • API String ID: 3187004680-1110647743
              • Opcode ID: e4a922200bbfe4b0c110967f7fcf75753f856ecfd0d9b46ab83d32cae226cf20
              • Instruction ID: 801f6dfd16c3ba57c3391cff541598073210008aa028a1e24cc3919fbeccdc2b
              • Opcode Fuzzy Hash: e4a922200bbfe4b0c110967f7fcf75753f856ecfd0d9b46ab83d32cae226cf20
              • Instruction Fuzzy Hash: 4011AF71A002097BEB11BFE0DC85FFD3769AB55704F048066FA19AA083CB789945DB71
              Function 0008D17C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON
              Download Yara Rule
              APIs
              • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0008D1BA
              • GetStockObject.GDI32(00000011), ref: 0008D1CE
              • SendMessageW.USER32(00000000,00000030,00000000), ref: 0008D1D8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CreateMessageObjectSendStockWindow
              • String ID: @U=u
              • API String ID: 3970641297-2594219639
              • Opcode ID: b7f97e9f197694b1f96b4958d26756b1058372b184828d08c96449cbc014a94f
              • Instruction ID: 1a3bc029308d72b4df2c1a9c31de1b64aeb9280159fff3ff571fa38f1a74d9be
              • Opcode Fuzzy Hash: b7f97e9f197694b1f96b4958d26756b1058372b184828d08c96449cbc014a94f
              • Instruction Fuzzy Hash: A711AD72101649BFEF126F90DC58EEABB6AFF08364F040212FA4492090DB359C60EBA0
              Function 000D1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
              Download Yara Rule
              APIs
              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 000D19F3
              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 000D1A26
              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 000D1B49
              • CloseHandle.KERNEL32(?), ref: 000D1BBF
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Process$CloseCountersHandleInfoMemoryOpen
              • String ID:
              • API String ID: 2364364464-0
              • Opcode ID: d103e4ca0159baaac72deea084d8882a77b6d90a99e22724304026abc0b9620e
              • Instruction ID: 32c8a81861dab5b7c553aeafe9845d85cb4666e05c7663954ac98114751920fa
              • Opcode Fuzzy Hash: d103e4ca0159baaac72deea084d8882a77b6d90a99e22724304026abc0b9620e
              • Instruction Fuzzy Hash: D3812F70600314ABDF14AF64C896BEDBBE5FF44720F14845AF945AF382DBB5A9418B90
              Function 000B1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 000B1CB4
              • VariantClear.OLEAUT32(00000013), ref: 000B1D26
              • VariantClear.OLEAUT32(00000000), ref: 000B1D81
              • VariantClear.OLEAUT32(?), ref: 000B1DF8
              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 000B1E26
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Variant$Clear$ChangeInitType
              • String ID:
              • API String ID: 4136290138-0
              • Opcode ID: 1d20231cfa4ade192c0cf76168cadb3ff0d01d15c6672b0b3cc2d83b58368de5
              • Instruction ID: 70791a8f4aa438eebedeb775e436c0390a76e22b009fe4264b02474117a4fa9b
              • Opcode Fuzzy Hash: 1d20231cfa4ade192c0cf76168cadb3ff0d01d15c6672b0b3cc2d83b58368de5
              • Instruction Fuzzy Hash: 445167B5A00209AFDB14CF58C890AEAB7F9FF4D314B15855AED59DB300E334EA11CBA0
              Function 000D0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0007936C: __swprintf.LIBCMT ref: 000793AB
                • Part of subcall function 0007936C: __itow.LIBCMT ref: 000793DF
              • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 000D06EE
              • GetProcAddress.KERNEL32(00000000,?), ref: 000D077D
              • GetProcAddress.KERNEL32(00000000,00000000), ref: 000D079B
              • GetProcAddress.KERNEL32(00000000,?), ref: 000D07E1
              • FreeLibrary.KERNEL32(00000000,00000004), ref: 000D07FB
                • Part of subcall function 0008E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,000BA574,?,?,00000000,00000008), ref: 0008E675
                • Part of subcall function 0008E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,000BA574,?,?,00000000,00000008), ref: 0008E699
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
              • String ID:
              • API String ID: 327935632-0
              • Opcode ID: 803414379c9f660e804089b97ad9877a529aadaf8c2faebdb75f2e4cea4b4923
              • Instruction ID: 829ca9e4511212890138a340ea3a5620fc89bc7bd1cc110189c527b7ffd3b8d1
              • Opcode Fuzzy Hash: 803414379c9f660e804089b97ad9877a529aadaf8c2faebdb75f2e4cea4b4923
              • Instruction Fuzzy Hash: EA513575E00205AFCB00EFA8C491AEDB7B5BF18310F04805AE959AB352DB34ED46DB94
              Function 000D2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000D3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000D2BB5,?,?), ref: 000D3C1D
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000D2EEF
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000D2F2E
              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 000D2F75
              • RegCloseKey.ADVAPI32(?,?), ref: 000D2FA1
              • RegCloseKey.ADVAPI32(00000000), ref: 000D2FAE
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
              • String ID:
              • API String ID: 3740051246-0
              • Opcode ID: 7fc89472427d29b85ea83db14da36ecbe866a467207120b79f68dbe828983a41
              • Instruction ID: acd08cfbe6bf4642ed7a75f699c4ed81213ec029184d4125cc9b2dad99d00979
              • Opcode Fuzzy Hash: 7fc89472427d29b85ea83db14da36ecbe866a467207120b79f68dbe828983a41
              • Instruction Fuzzy Hash: E1513871608304AFD714EB54C881EAAB7F9EF98304F04882EB59997292DB34E905DB62
              Function 000C1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
              Download Yara Rule
              APIs
              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 000C12B4
              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 000C12DD
              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 000C131C
                • Part of subcall function 0007936C: __swprintf.LIBCMT ref: 000793AB
                • Part of subcall function 0007936C: __itow.LIBCMT ref: 000793DF
              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 000C1341
              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 000C1349
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
              • String ID:
              • API String ID: 1389676194-0
              • Opcode ID: 94cadad4f7f169930e7531df3f2b4ba8df63896c888670c35edfe2d03c2f1a73
              • Instruction ID: d4ce1ec3e73e0c47b21639ee0962d34a5518dd10b05fc079a52a528179462d20
              • Opcode Fuzzy Hash: 94cadad4f7f169930e7531df3f2b4ba8df63896c888670c35edfe2d03c2f1a73
              • Instruction Fuzzy Hash: CF410C35A00105EFDB05EF64C981AAEBBF5FF09314B14C099E90AAB362CB35EE01DB54
              Function 0008B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(000000FF), ref: 0008B64F
              • ScreenToClient.USER32(00000000,000000FF), ref: 0008B66C
              • GetAsyncKeyState.USER32(00000001), ref: 0008B691
              • GetAsyncKeyState.USER32(00000002), ref: 0008B69F
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: AsyncState$ClientCursorScreen
              • String ID:
              • API String ID: 4210589936-0
              • Opcode ID: 3624127ec4238bbaa429b2bccc809d97ad35d1112e0e086d759f79cc0e0e16fb
              • Instruction ID: 1ae1d1a1799df5b0db11b5bb638c962e19b6f17e936bc1912231408df7fad1dc
              • Opcode Fuzzy Hash: 3624127ec4238bbaa429b2bccc809d97ad35d1112e0e086d759f79cc0e0e16fb
              • Instruction Fuzzy Hash: 64419035504109BFDF55DF65C844AEDBBB4FB05324F10436AE869A2291D734ADA0EFA0
              Function 000AB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 000AB369
              • PostMessageW.USER32(?,00000201,00000001), ref: 000AB413
              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 000AB41B
              • PostMessageW.USER32(?,00000202,00000000), ref: 000AB429
              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 000AB431
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessagePostSleep$RectWindow
              • String ID:
              • API String ID: 3382505437-0
              • Opcode ID: ecd8a3935b85874cf3d58470d07d9f7a1fee87b6af433312614673d4518c57ed
              • Instruction ID: 32be5fc2877156e69762df5cdb9c764edb597b7e2c94a1215e0c5d107c11e8fb
              • Opcode Fuzzy Hash: ecd8a3935b85874cf3d58470d07d9f7a1fee87b6af433312614673d4518c57ed
              • Instruction Fuzzy Hash: 9C31C072900219EBDF14CFA8D94DAAE3BB5FB05319F104229F921EA1D2C7B49A54DB90
              Function 000B6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000750E6: _wcsncpy.LIBCMT ref: 000750FA
              • GetFileAttributesW.KERNEL32(?,?,?,?,000B60C3), ref: 000B6369
              • GetLastError.KERNEL32(?,?,?,000B60C3), ref: 000B6374
              • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,000B60C3), ref: 000B6388
              • _wcsrchr.LIBCMT ref: 000B63AA
                • Part of subcall function 000B6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,000B60C3), ref: 000B63E0
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
              • String ID:
              • API String ID: 3633006590-0
              • Opcode ID: 6265ed976dfdbf61f6a6e152e3bbe1e493a985509d944a153dfa1f68f71fd007
              • Instruction ID: d7d829f0194577a48b1231e84a156878124469d3006eb6855732aa5dc6d98546
              • Opcode Fuzzy Hash: 6265ed976dfdbf61f6a6e152e3bbe1e493a985509d944a153dfa1f68f71fd007
              • Instruction Fuzzy Hash: F621D8319042155AEF65AB78AC46FFE23ECBF15B60F100466F045D70C1EBAADB809A64
              Function 000C8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000CA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 000CA84E
              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 000C8BD3
              • WSAGetLastError.WSOCK32(00000000), ref: 000C8BE2
              • connect.WSOCK32(00000000,?,00000010), ref: 000C8BFE
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ErrorLastconnectinet_addrsocket
              • String ID:
              • API String ID: 3701255441-0
              • Opcode ID: 18246ecc60bfa98897f39dd13cdbd8eef639a9b212370cd44c0b3df2147eb8e9
              • Instruction ID: 2f1a834716b7bc16faa2602be3eedfbbbb1d7e947a196991dd02b86b38d150ef
              • Opcode Fuzzy Hash: 18246ecc60bfa98897f39dd13cdbd8eef639a9b212370cd44c0b3df2147eb8e9
              • Instruction Fuzzy Hash: 43218E312002149FDB14AF68CC85FBE77E9EF48710F04845DF956AB392DB74AC019B55
              Function 000C8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
              Download Yara Rule
              APIs
              • IsWindow.USER32(00000000), ref: 000C8441
              • GetForegroundWindow.USER32 ref: 000C8458
              • GetDC.USER32(00000000), ref: 000C8494
              • GetPixel.GDI32(00000000,?,00000003), ref: 000C84A0
              • ReleaseDC.USER32(00000000,00000003), ref: 000C84DB
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$ForegroundPixelRelease
              • String ID:
              • API String ID: 4156661090-0
              • Opcode ID: d025a3f635cb72f789199656dd78ca68c9cd65ca4ce0e7828ef5ccb055f1d125
              • Instruction ID: ffc1affa4fde3bfc36a7ee6534a07c15557018f5618c761c766822556f1a869c
              • Opcode Fuzzy Hash: d025a3f635cb72f789199656dd78ca68c9cd65ca4ce0e7828ef5ccb055f1d125
              • Instruction Fuzzy Hash: 43218175A00204AFD714EFA4C889AAEBBF9EF48301F14C479E859D7652DF74AC01DB64
              Function 0008AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
              Download Yara Rule
              APIs
              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0008AFE3
              • SelectObject.GDI32(?,00000000), ref: 0008AFF2
              • BeginPath.GDI32(?), ref: 0008B009
              • SelectObject.GDI32(?,00000000), ref: 0008B033
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ObjectSelect$BeginCreatePath
              • String ID:
              • API String ID: 3225163088-0
              • Opcode ID: ed863d25c11773d51540c98b844789cb1f5548f2ffb873dcc6eb8d2f6c03f60a
              • Instruction ID: 6d8687e3db28d02f93ff7c07910a2c33d44a7a43f70c9ed5c807415d58272e71
              • Opcode Fuzzy Hash: ed863d25c11773d51540c98b844789cb1f5548f2ffb873dcc6eb8d2f6c03f60a
              • Instruction Fuzzy Hash: D221B3F0900349FFEB20EFD5ED497AA7BA9B710355F14432AE464925A1C3B058D5DFA0
              Function 0009217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
              Download Yara Rule
              APIs
              • __calloc_crt.LIBCMT ref: 000921A9
              • CreateThread.KERNEL32(?,?,000922DF,00000000,?,?), ref: 000921ED
              • GetLastError.KERNEL32 ref: 000921F7
              • _free.LIBCMT ref: 00092200
              • __dosmaperr.LIBCMT ref: 0009220B
                • Part of subcall function 00097C0E: __getptd_noexit.LIBCMT ref: 00097C0E
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
              • String ID:
              • API String ID: 2664167353-0
              • Opcode ID: 8d4127bf66e96cb95d6bbee6dad12c757362c0f09f8fa9264f2e7b76fb29662e
              • Instruction ID: 47f0c378a108e984845a2d35aae9f858bdd7d3bf6f00d9b367fe894d2bb91a16
              • Opcode Fuzzy Hash: 8d4127bf66e96cb95d6bbee6dad12c757362c0f09f8fa9264f2e7b76fb29662e
              • Instruction Fuzzy Hash: EF11C433108306BFAF21AFA5DC41DEB3BD9EF45770B100429FA1886193EB71D821B6A1
              Function 000AABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
              Download Yara Rule
              APIs
              • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 000AABD7
              • GetLastError.KERNEL32(?,000AA69F,?,?,?), ref: 000AABE1
              • GetProcessHeap.KERNEL32(00000008,?,?,000AA69F,?,?,?), ref: 000AABF0
              • HeapAlloc.KERNEL32(00000000,?,000AA69F,?,?,?), ref: 000AABF7
              • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 000AAC0E
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
              • String ID:
              • API String ID: 842720411-0
              • Opcode ID: 2aeaddce989532b1f85f342bbcf7076a6294755ad3794d3c6125d71cb0bb10f3
              • Instruction ID: 02684f05c42a8e72f0b332cf6587ff5d2f7fe9d334c688b7532f6b0851a5d38c
              • Opcode Fuzzy Hash: 2aeaddce989532b1f85f342bbcf7076a6294755ad3794d3c6125d71cb0bb10f3
              • Instruction Fuzzy Hash: 21014670300204BFEB104FA9DC48DAB3AAEEF8A364710052AF909C22A1DB71CD40EA61
              Function 000B7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000B7A74
              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 000B7A82
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000B7A8A
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 000B7A94
              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000B7AD0
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: PerformanceQuery$CounterSleep$Frequency
              • String ID:
              • API String ID: 2833360925-0
              • Opcode ID: d021a7023c1ffad5436aebf02361e9ee966a7d0e6ae0e9b4779972ca55074d15
              • Instruction ID: 2e9bde5e7e39f40b3d967d47cb678653a43c8214e13fff2dc7df8b4642374de9
              • Opcode Fuzzy Hash: d021a7023c1ffad5436aebf02361e9ee966a7d0e6ae0e9b4779972ca55074d15
              • Instruction Fuzzy Hash: 22014831C0962DEBDF50AFE5DC48AEDBB79FF88711F000456E506B2650DB389650D7A2
              Function 000A9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
              Download Yara Rule
              APIs
              • CLSIDFromProgID.OLE32 ref: 000A9ADC
              • ProgIDFromCLSID.OLE32(?,00000000), ref: 000A9AF7
              • lstrcmpiW.KERNEL32(?,00000000), ref: 000A9B05
              • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 000A9B15
              • CLSIDFromString.OLE32(?,?), ref: 000A9B21
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: From$Prog$FreeStringTasklstrcmpi
              • String ID:
              • API String ID: 3897988419-0
              • Opcode ID: 25ddb948f2bb32ea770017f7abc2b280496bbde54aef266089c726c8044d3cc4
              • Instruction ID: e6203231db8d0354b5bb82e9a801aa0fe046b3b453f200a7a223fcf3e939d259
              • Opcode Fuzzy Hash: 25ddb948f2bb32ea770017f7abc2b280496bbde54aef266089c726c8044d3cc4
              • Instruction Fuzzy Hash: CB018F76710204BFEB104F94ED44BAA7AEEEB45392F244025F905D2210DB75DD01ABB0
              Function 000AAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000AAA79
              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000AAA83
              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000AAA92
              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000AAA99
              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000AAAAF
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: ed7367ebde512af40ed83334081ad0fadf2bc81930fc340c36c57b43644740a4
              • Instruction ID: 79a50cb97127544947295c7f7eec589d61b3825f332674d266b50867a6d104ae
              • Opcode Fuzzy Hash: ed7367ebde512af40ed83334081ad0fadf2bc81930fc340c36c57b43644740a4
              • Instruction Fuzzy Hash: 9EF03771200204AFEB115FA4AC89EBB3BEDFB4A754B00442AFA41C61A0DB659C41EA72
              Function 000AAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000AAADA
              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000AAAE4
              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000AAAF3
              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000AAAFA
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000AAB10
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: 843a01245e85ecb58256fdc322071f1af9cb1bc15e0288d52912ba1dc75c65c5
              • Instruction ID: 68b115695eb041ab035be33478656006381887891cddd679c3ad13d431d20f94
              • Opcode Fuzzy Hash: 843a01245e85ecb58256fdc322071f1af9cb1bc15e0288d52912ba1dc75c65c5
              • Instruction Fuzzy Hash: D8F03C713102086FEB110FA4EC98E773BAEFB46754F00012AF941C7190CB649901EA71
              Function 000AEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,000003E9), ref: 000AEC94
              • GetWindowTextW.USER32(00000000,?,00000100), ref: 000AECAB
              • MessageBeep.USER32(00000000), ref: 000AECC3
              • KillTimer.USER32(?,0000040A), ref: 000AECDF
              • EndDialog.USER32(?,00000001), ref: 000AECF9
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: BeepDialogItemKillMessageTextTimerWindow
              • String ID:
              • API String ID: 3741023627-0
              • Opcode ID: d4c9506fe8b888b7bc5d1e1fb027ecd9ce88d79236eddd4fa912da5fb0728ab6
              • Instruction ID: 93e1317a5867df4634f1a200ffcdd027532d9728755bb830d3aaf30e96680772
              • Opcode Fuzzy Hash: d4c9506fe8b888b7bc5d1e1fb027ecd9ce88d79236eddd4fa912da5fb0728ab6
              • Instruction Fuzzy Hash: FF01A430900744ABFB346B50DE4EBA677B9FF01B15F00055AB587A58E1DBF8AA45DB40
              Function 0008B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
              Download Yara Rule
              APIs
              • EndPath.GDI32(?), ref: 0008B0BA
              • StrokeAndFillPath.GDI32(?,?,000EE680,00000000,?,?,?), ref: 0008B0D6
              • SelectObject.GDI32(?,00000000), ref: 0008B0E9
              • DeleteObject.GDI32 ref: 0008B0FC
              • StrokePath.GDI32(?), ref: 0008B117
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Path$ObjectStroke$DeleteFillSelect
              • String ID:
              • API String ID: 2625713937-0
              • Opcode ID: 37311b927b399e3760cdbe89468e5b43e4f052f426747e2767235e407e407cb2
              • Instruction ID: 0e503fce5f8ac5e6bdfdcdc99bd8cacd7013e8f036bb9070ab336a5648ad3b06
              • Opcode Fuzzy Hash: 37311b927b399e3760cdbe89468e5b43e4f052f426747e2767235e407e407cb2
              • Instruction Fuzzy Hash: 84F0C9B0000644FFDB21AFA9ED0E7693BA6B711362F488316E569498F0CB7589E5DF60
              Function 000BF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 000BF2DA
              • CoCreateInstance.OLE32(000FDA7C,00000000,00000001,000FD8EC,?), ref: 000BF2F2
              • CoUninitialize.OLE32 ref: 000BF555
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CreateInitializeInstanceUninitialize
              • String ID: .lnk
              • API String ID: 948891078-24824748
              • Opcode ID: 5b934a096ba0ca636380f91b6e462740fb4c2d689e66f5ce7a0cc2a760860a02
              • Instruction ID: 6c669035ec0b42405f98f2aba7c0e75e93bf1f67791aa09184d51bbc64b4b307
              • Opcode Fuzzy Hash: 5b934a096ba0ca636380f91b6e462740fb4c2d689e66f5ce7a0cc2a760860a02
              • Instruction Fuzzy Hash: 9AA11A71504201AFD300EF64C881EAFB7E8FF99714F00895DF59997192EB74EA49CB92
              Function 000BE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0007660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000753B1,?,?,000761FF,?,00000000,00000001,00000000), ref: 0007662F
              • CoInitialize.OLE32(00000000), ref: 000BE85D
              • CoCreateInstance.OLE32(000FDA7C,00000000,00000001,000FD8EC,?), ref: 000BE876
              • CoUninitialize.OLE32 ref: 000BE893
                • Part of subcall function 0007936C: __swprintf.LIBCMT ref: 000793AB
                • Part of subcall function 0007936C: __itow.LIBCMT ref: 000793DF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
              • String ID: .lnk
              • API String ID: 2126378814-24824748
              • Opcode ID: 7f90eb6b153e0c0fdf9e3ed4df00668f704d1a1aa797d2d4f7398abbce922e1c
              • Instruction ID: 352fb81dbba660b6b0f9b516dbb9b62e79c63ccfb570bc60f5287ca02c822f66
              • Opcode Fuzzy Hash: 7f90eb6b153e0c0fdf9e3ed4df00668f704d1a1aa797d2d4f7398abbce922e1c
              • Instruction Fuzzy Hash: F3A14435604341AFCB10EF14C8849AEBBE5FF89310F048959F99A9B3A2CB35ED45CB91
              Function 0009325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
              Download Yara Rule
              APIs
              • __startOneArgErrorHandling.LIBCMT ref: 000932ED
                • Part of subcall function 0009E0D0: __87except.LIBCMT ref: 0009E10B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ErrorHandling__87except__start
              • String ID: pow
              • API String ID: 2905807303-2276729525
              • Opcode ID: 67050b2aee1a3aa59923dba1bcb74dc7d94d36fe21150550ec68711681b8376a
              • Instruction ID: 538c0509efd248ba14df8e8b3b0c4bd74c53fc1d180f79c16ace98019618bfc2
              • Opcode Fuzzy Hash: 67050b2aee1a3aa59923dba1bcb74dc7d94d36fe21150550ec68711681b8376a
              • Instruction Fuzzy Hash: AB516831A4824196CF65F714C9453BE2BD49B40710F30CD69F4D6822EAEF758ED8BE46
              Function 000B4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0010DC50,?,0000000F,0000000C,00000016,0010DC50,?), ref: 000B4645
                • Part of subcall function 0007936C: __swprintf.LIBCMT ref: 000793AB
                • Part of subcall function 0007936C: __itow.LIBCMT ref: 000793DF
              • CharUpperBuffW.USER32(?,?,00000000,?), ref: 000B46C5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: BuffCharUpper$__itow__swprintf
              • String ID: REMOVE$THIS
              • API String ID: 3797816924-776492005
              • Opcode ID: 36829ed23940dd5191a634bd5a677046496bbda9353f92f6cec2c98dcae21048
              • Instruction ID: b6dc66533b7ed23fd61ec14259f65db3be9d314b5866f4d6cc2d9cb441e73334
              • Opcode Fuzzy Hash: 36829ed23940dd5191a634bd5a677046496bbda9353f92f6cec2c98dcae21048
              • Instruction Fuzzy Hash: 9D412A34A042199FCF11EFA4C885AEEB7B5FF49304F148469E91AAB293DB34DE45CB50
              Function 000DA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
              Download Yara Rule
              APIs
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0010DC00,00000000,?,?,?,?), ref: 000DA6D8
              • GetWindowLongW.USER32 ref: 000DA6F5
              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 000DA705
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$Long
              • String ID: SysTreeView32
              • API String ID: 847901565-1698111956
              • Opcode ID: e39f39b4620a147ed9dab98ecc96db45988208baa7a5df6d322a213de2a8fa24
              • Instruction ID: 77db9e751c5fbadd95cf9b891eb6a1872bd70fb6354ffb89d3a448172ed60b1c
              • Opcode Fuzzy Hash: e39f39b4620a147ed9dab98ecc96db45988208baa7a5df6d322a213de2a8fa24
              • Instruction Fuzzy Hash: C631DE31200205ABDB219F78CC41BEA7BA9FF4A324F244716F8B5932E1C774E8509B60
              Function 000DA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 000DA15E
              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 000DA172
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 000DA196
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend$Window
              • String ID: SysMonthCal32
              • API String ID: 2326795674-1439706946
              • Opcode ID: 694555d6befd4f64bc14f2bd9cb4ac65ed0a44d6a3609b48afd6161fbdfbf752
              • Instruction ID: 9f462bab66a87d8492d57945222cd32fbf2a2c49417d094b05d8da6ec993edf7
              • Opcode Fuzzy Hash: 694555d6befd4f64bc14f2bd9cb4ac65ed0a44d6a3609b48afd6161fbdfbf752
              • Instruction Fuzzy Hash: 4A21D132600218BBEF119F94CC42FEA3BBAFF49714F110215FA55AB2D0D6B5AC51DBA0
              Function 000DA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 000DA941
              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 000DA94F
              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 000DA956
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend$DestroyWindow
              • String ID: msctls_updown32
              • API String ID: 4014797782-2298589950
              • Opcode ID: aee18658a42fa9c6e90d58f94adf157fd02793b02065d4141e7d8640e114c857
              • Instruction ID: 1a52b2cac65a4d2d839d6bd2ad7840ae40266f836bb9ab39856bd811e9d7c77c
              • Opcode Fuzzy Hash: aee18658a42fa9c6e90d58f94adf157fd02793b02065d4141e7d8640e114c857
              • Instruction Fuzzy Hash: 05219FB5600209AFDB11DF54CC92DB737ADEB4A364B04005AFA049B352CB70EC119B71
              Function 000D99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 000D9A30
              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 000D9A40
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 000D9A65
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend$MoveWindow
              • String ID: Listbox
              • API String ID: 3315199576-2633736733
              • Opcode ID: 821756ea5d18c9d24d36990d5de908038bce08a463c9ad7cddae0a0dc5e67d6d
              • Instruction ID: 98627a51af1a8c256dbc9866ca8f47a19b05d817e8d82a6bb2ac1645f507a5d0
              • Opcode Fuzzy Hash: 821756ea5d18c9d24d36990d5de908038bce08a463c9ad7cddae0a0dc5e67d6d
              • Instruction Fuzzy Hash: A521D732610218BFDF218F58DC85FBF3BAAEF89754F01812AF9449B290C6719C51D7A0
              Function 000AB5B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,000000B0,?,?), ref: 000AB5D2
              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 000AB5E9
              • SendMessageW.USER32(?,0000000D,?,00000000), ref: 000AB621
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: @U=u
              • API String ID: 3850602802-2594219639
              • Opcode ID: 69fc86472f7fabfc4b2c3f072429da4571151369388239d104b6a53004688a78
              • Instruction ID: 5c8915a7dc8748ef007158ccdc134c9e07814d8df214bea4c74ace0cd03a3768
              • Opcode Fuzzy Hash: 69fc86472f7fabfc4b2c3f072429da4571151369388239d104b6a53004688a78
              • Instruction Fuzzy Hash: 71216F72A00108BFDF20DFA8C9429AEB7BDFF45340F140556E505E3191DB75AA119AA4
              Function 000C87A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000402,00000000,00000000), ref: 000C87F3
              • SendMessageW.USER32(0000000C,00000000,?), ref: 000C8834
              • SendMessageW.USER32(0000000C,00000000,?), ref: 000C885C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: @U=u
              • API String ID: 3850602802-2594219639
              • Opcode ID: 7068bb8edd34474f3908b52c4ee9b5204e7b2062d59b04d1fe1a924fa7daf648
              • Instruction ID: d03817fbf6f1047f1a7a69c9d36c0dd972292242c120ec5c642e45f313c695a2
              • Opcode Fuzzy Hash: 7068bb8edd34474f3908b52c4ee9b5204e7b2062d59b04d1fe1a924fa7daf648
              • Instruction Fuzzy Hash: 5A216A75600500EFDB00EB65D881E6AB7F9FF09700B40C156FA09DBAA2CB20FC51DB98
              Function 000DA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 000DA46D
              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 000DA482
              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 000DA48F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: msctls_trackbar32
              • API String ID: 3850602802-1010561917
              • Opcode ID: 571b75789c1a2c761f9ab6ff470ce78c47ad617182f44643ad2bebc607a05bc6
              • Instruction ID: 1a1c2355c4332aabf70cd098553cc7b97d84b1b956d93e308f4ab73268cd9383
              • Opcode Fuzzy Hash: 571b75789c1a2c761f9ab6ff470ce78c47ad617182f44643ad2bebc607a05bc6
              • Instruction Fuzzy Hash: 5911E771240308BEEF205F64CC49FEB37A9EFC9758F014119FA45961D1D6B1E811DB20
              Function 000D9617 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON
              Download Yara Rule
              APIs
              • GetWindowTextLengthW.USER32(00000000), ref: 000D9699
              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 000D96A8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: LengthMessageSendTextWindow
              • String ID: @U=u$edit
              • API String ID: 2978978980-590756393
              • Opcode ID: 43d23c1540ccd06891a273043e63edaa4cfe7ecc60139e5161de1304fb3d4345
              • Instruction ID: 9889ddbcfbf74b7963cce29ffb03fd10988ff8695791cafb10d19e73c588e656
              • Opcode Fuzzy Hash: 43d23c1540ccd06891a273043e63edaa4cfe7ecc60139e5161de1304fb3d4345
              • Instruction Fuzzy Hash: 09118C71100208ABEF605FA4DC44EFB3BAAEB05378F104716F965972E0C775DC50AB60
              Function 000AB781 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 000AB7EF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: @U=u$ComboBox$ListBox
              • API String ID: 3850602802-2258501812
              • Opcode ID: 45a9db2173f87d419accfe9155b59c2b8b42ac04d65c0cefefc9283310b73fef
              • Instruction ID: 68dfc041bd623f9d049fae99d0c64ecb537f62a51716f2170743fccb3ed19ec2
              • Opcode Fuzzy Hash: 45a9db2173f87d419accfe9155b59c2b8b42ac04d65c0cefefc9283310b73fef
              • Instruction Fuzzy Hash: 1001B171A40118ABDB04EBA4CC52DFE33AAAF47350B04061EF462A72D3EF785918DB94
              Function 000AB67D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000180,00000000,?), ref: 000AB6EB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: @U=u$ComboBox$ListBox
              • API String ID: 3850602802-2258501812
              • Opcode ID: 95eb0db61c04a7502290b8106c77ec0047eb521b0671809ec3883ff8210ccc39
              • Instruction ID: b0ed92aabf8ebd864743865852310aa4e5d4961fc735b733a068f76cdb9b2c8b
              • Opcode Fuzzy Hash: 95eb0db61c04a7502290b8106c77ec0047eb521b0671809ec3883ff8210ccc39
              • Instruction Fuzzy Hash: 3F01A271A41008ABDB14EBE4D952FFE73A99F07344F14001EB402B3583EB685E1897B9
              Function 000AB700 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 48windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000182,?,00000000), ref: 000AB76C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: @U=u$ComboBox$ListBox
              • API String ID: 3850602802-2258501812
              • Opcode ID: da79fd8c66c54a5ac12e6acc88a0ee75c710f80c2c85edb9f9b4b07dde7b6f49
              • Instruction ID: 19c324ea5701f97e63ec6313b5535ed8f4ddf56b68870ad47c8001b5168fc2a3
              • Opcode Fuzzy Hash: da79fd8c66c54a5ac12e6acc88a0ee75c710f80c2c85edb9f9b4b07dde7b6f49
              • Instruction Fuzzy Hash: 80012171A40008BBEB00EBE4C902EFE33AC9B07300F10001EB402B3193EBA85E1897B9
              Function 000DD974 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(?,00131628,000E04C9,000000FC,?,00000000,00000000,?,?,?,000EE47E,?,?,?,?,?), ref: 000DD976
              • GetFocus.USER32 ref: 000DD97E
                • Part of subcall function 0008B34E: GetWindowLongW.USER32(?,000000EB), ref: 0008B35F
                • Part of subcall function 0008B526: GetWindowLongW.USER32(?,000000EB), ref: 0008B537
              • SendMessageW.USER32(010389A0,000000B0,000001BC,000001C0), ref: 000DD9F0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$Long$FocusForegroundMessageSend
              • String ID: @U=u
              • API String ID: 3601265619-2594219639
              • Opcode ID: c2e79ade84b90e90d60c22919ba6208a6d20ff28567ec88a8c4dffb6b17be219
              • Instruction ID: 1b8f3e869731214db8f3a23bd479ff710c51a43212de29e9c4e2c5e403b7d950
              • Opcode Fuzzy Hash: c2e79ade84b90e90d60c22919ba6208a6d20ff28567ec88a8c4dffb6b17be219
              • Instruction Fuzzy Hash: 4B0152752007009FD7149F38D895AA6B7E6BF8A314F18036BE859C77A1DB31AC86CB50
              Function 00071000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0007103B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00071052
              • SendMessageW.USER32(?,0000000C,00000000,?), ref: 0007101C
              • GetParent.USER32 ref: 000E2026
              • InvalidateRect.USER32(00000000,?,00000000,00000001,?,0000000C,00000000,?), ref: 000E202D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend$InvalidateParentRectTimeout
              • String ID: @U=u
              • API String ID: 3648793173-2594219639
              • Opcode ID: 82d76bf1d9a4b06a7fcf321b306018f729d29f417f15ce77f29f849416bf674b
              • Instruction ID: ef38522046c8e5621c4c95cc8317a37b1e5adf72628847b1680b132787b700db
              • Opcode Fuzzy Hash: 82d76bf1d9a4b06a7fcf321b306018f729d29f417f15ce77f29f849416bf674b
              • Instruction Fuzzy Hash: F7F0A031500284FBFF301F64DC09FE53BA9AB12380F10801AF5989B0E1C6EB5880EB94
              Function 00092287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00092350,?), ref: 000922A1
              • GetProcAddress.KERNEL32(00000000), ref: 000922A8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: RoInitialize$combase.dll
              • API String ID: 2574300362-340411864
              • Opcode ID: 170d6c4983bf230d133db4cc7ea7de7de583b677081e0849df96cfb79a1fbca2
              • Instruction ID: 465780f6ef152e538d5f7c6a5e953e0af5d4025f5275734a3cce01fa377af785
              • Opcode Fuzzy Hash: 170d6c4983bf230d133db4cc7ea7de7de583b677081e0849df96cfb79a1fbca2
              • Instruction Fuzzy Hash: 10E01A70694300BBEB615F70EC59B2437A6BB05702F5040A1B202D58A0CBB88091EF09
              Function 0009235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00092276), ref: 00092376
              • GetProcAddress.KERNEL32(00000000), ref: 0009237D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: RoUninitialize$combase.dll
              • API String ID: 2574300362-2819208100
              • Opcode ID: 49aa11608b115e5fa93ae4c96eddf2a631b78fafc2369ee92310bc397e76674d
              • Instruction ID: 938a37d0e4a2e92abf970fd02f0726692a712ddfda16ca40464eb82c9221266f
              • Opcode Fuzzy Hash: 49aa11608b115e5fa93ae4c96eddf2a631b78fafc2369ee92310bc397e76674d
              • Instruction Fuzzy Hash: 48E0B670584304FBEB626F60ED2DB253AB6BB18702F124415F209E6CB0CBB8D590FA19
              Function 000EAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: LocalTime__swprintf
              • String ID: %.3d$WIN_XPe
              • API String ID: 2070861257-2409531811
              • Opcode ID: 35d37a39392d788902ab49a14e112f9c2aba8813db1e6942063b05c24a975ba2
              • Instruction ID: 72e04b6d539bc606e0bddce1166d4088a435093d82c7a51a782745c59e9e841a
              • Opcode Fuzzy Hash: 35d37a39392d788902ab49a14e112f9c2aba8813db1e6942063b05c24a975ba2
              • Instruction Fuzzy Hash: 97E0EC71904669DFCA6097919D059FDB37CAB09741F200492B946B1000D635AB94AA22
              Function 000D2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,000D21FB,?,000D23EF), ref: 000D2213
              • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 000D2225
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetProcessId$kernel32.dll
              • API String ID: 2574300362-399901964
              • Opcode ID: 39e88c5c2d8f13abb0b6e77220e16129000b17a1c57a355fc8411bc2e1cae01c
              • Instruction ID: 49798b2a30088a384b753d580f8fd3f9047e513969541859e97f75b38e496133
              • Opcode Fuzzy Hash: 39e88c5c2d8f13abb0b6e77220e16129000b17a1c57a355fc8411bc2e1cae01c
              • Instruction Fuzzy Hash: 3CD0A734400722FFD7214F30F80862576D5FF15310B00441BF895E2650D774D880E660
              Function 000742F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,00000000,000742EC,?,000742AA,?), ref: 00074304
              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00074316
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-1355242751
              • Opcode ID: 528ab0e7b56bdbd2983897830b5b2e35885992d035fa49f386b1a97f87a04a80
              • Instruction ID: 4c754cc589a2c663358213c377f02b070193d845b42a03c2bf835cfe04c05dbd
              • Opcode Fuzzy Hash: 528ab0e7b56bdbd2983897830b5b2e35885992d035fa49f386b1a97f87a04a80
              • Instruction Fuzzy Hash: 0AD0A730800B22BFD7204F20F80C61576D4BF05301B00841AE559D2560D7B8C880D610
              Function 0007434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,000741BB,00074341,?,0007422F,?,000741BB,?,?,?,?,000739FE,?,00000001), ref: 00074359
              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0007436B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-3689287502
              • Opcode ID: b65e13a54e38aca58ac59c3f234c2113e7fd5be562c89b683dfb88d7903c8807
              • Instruction ID: 21727042c1be38f5d7616432ab5f8bad281c9563bf542f0f06b38aa55908d904
              • Opcode Fuzzy Hash: b65e13a54e38aca58ac59c3f234c2113e7fd5be562c89b683dfb88d7903c8807
              • Instruction Fuzzy Hash: 32D0A770840722BFE7214F30F84861576D4BF11715B00851AE499D2550D7B8D880D610
              Function 000B0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(oleaut32.dll,?,000B051D,?,000B05FE), ref: 000B0547
              • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 000B0559
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: RegisterTypeLibForUser$oleaut32.dll
              • API String ID: 2574300362-1071820185
              • Opcode ID: 9be4bc76b5de8cc3bfa385941281456d46582bbee90175c09324c14fca898a74
              • Instruction ID: fea504a6b2a8c216ac7acaa51730510c112f683d2d05b6981547ee0fd27824bd
              • Opcode Fuzzy Hash: 9be4bc76b5de8cc3bfa385941281456d46582bbee90175c09324c14fca898a74
              • Instruction Fuzzy Hash: 78D0A730500B22BFD7308F20F80865776E4BB04301B50C41EE446D2950E774CC80DA10
              Function 000B0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,000B052F,?,000B06D7), ref: 000B0572
              • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 000B0584
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: UnRegisterTypeLibForUser$oleaut32.dll
              • API String ID: 2574300362-1587604923
              • Opcode ID: f42d1173b532a852e5cc9261a02617b804b9412572096a84120ff38cadcf52bc
              • Instruction ID: 0c22d089cb73363365ddca6fb86438ba6a452d4091a32abc6f6f10218630088b
              • Opcode Fuzzy Hash: f42d1173b532a852e5cc9261a02617b804b9412572096a84120ff38cadcf52bc
              • Instruction Fuzzy Hash: 29D09E70504722AAE7605F65A818A5777E5BB04711B10851AE855D2950E774D880DA60
              Function 000CECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,000CECBE,?,000CEBBB), ref: 000CECD6
              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 000CECE8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetSystemWow64DirectoryW$kernel32.dll
              • API String ID: 2574300362-1816364905
              • Opcode ID: 305913abcbec40f7fde686c2343279f0d88a1459632547c3489507605910c5ca
              • Instruction ID: e89ce7c18fa35cb8fe4a6c99393c7703b3c722b9c6ffe134d8518b146162b37b
              • Opcode Fuzzy Hash: 305913abcbec40f7fde686c2343279f0d88a1459632547c3489507605910c5ca
              • Instruction Fuzzy Hash: 16D0A731400733BFDB205FA0F888B1A76E5BF00300B00841EF845D2550DB74C880F610
              Function 000CBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,00000000,000CBAD3,00000001,000CB6EE,?,0010DC00), ref: 000CBAEB
              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 000CBAFD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetModuleHandleExW$kernel32.dll
              • API String ID: 2574300362-199464113
              • Opcode ID: a64bcece2ed559f24c45d003ecd529e474dd2ad78b6fa48ae1cab952f222db29
              • Instruction ID: e2d863c72b8032b139f18fbbaae6259bc0a5a11e5a66ebbc023b56d482e78121
              • Opcode Fuzzy Hash: a64bcece2ed559f24c45d003ecd529e474dd2ad78b6fa48ae1cab952f222db29
              • Instruction Fuzzy Hash: DBD0A9B0800723AFE7306F20F849F6A76E8BF00300F00842EE883D2650EBB4CC80EA10
              Function 000D3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(advapi32.dll,?,000D3BD1,?,000D3E06), ref: 000D3BE9
              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000D3BFB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: RegDeleteKeyExW$advapi32.dll
              • API String ID: 2574300362-4033151799
              • Opcode ID: 9422433e2801ab9d873d4780a6109cd4b3c67cf6dc51042710412cf41d0100b7
              • Instruction ID: 16a0a0b3bea8becb85ca46ae63a06eefd46cc01ef50e1b7328d7471434733e8c
              • Opcode Fuzzy Hash: 9422433e2801ab9d873d4780a6109cd4b3c67cf6dc51042710412cf41d0100b7
              • Instruction Fuzzy Hash: 78D0A9B0410722EFE7205FA1F808653BAFABB01324B10842BE885E2650EBB4C880DF21
              Function 000A9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 72ed3d53b0a3c5449e0106e58d4398144c575e46f8f7f2a9b7e9fafc193576c3
              • Instruction ID: f2493d15db1ddef5424436d5384b51d39d127b47c5cd4ce0a1e2255a87a43a2b
              • Opcode Fuzzy Hash: 72ed3d53b0a3c5449e0106e58d4398144c575e46f8f7f2a9b7e9fafc193576c3
              • Instruction Fuzzy Hash: BEC14C75A0021AEFDB14DFE4C884AAEB7B5FF49710F108598E905EB251D731EE81DBA0
              Function 000CAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 000CAAB4
              • CoUninitialize.OLE32 ref: 000CAABF
                • Part of subcall function 000B0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000B027B
              • VariantInit.OLEAUT32(?), ref: 000CAACA
              • VariantClear.OLEAUT32(?), ref: 000CAD9D
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
              • String ID:
              • API String ID: 780911581-0
              • Opcode ID: 65dbd3a92ae8382eeae071ff7a20fcff48f8611dc24c1e4c4606a1762ce3ea35
              • Instruction ID: 788c0ee2faae7dcb55dbc36cf7e2f5e558ba1311d093c527278e41d36d145e97
              • Opcode Fuzzy Hash: 65dbd3a92ae8382eeae071ff7a20fcff48f8611dc24c1e4c4606a1762ce3ea35
              • Instruction Fuzzy Hash: 5CA124356046059FDB10EF24C481BAEB7E5BF89714F04844DFA9A9B3A2CB34ED45CB86
              Function 000A91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Variant$AllocClearCopyInitString
              • String ID:
              • API String ID: 2808897238-0
              • Opcode ID: a9b79d393323246e5c50619494ce2957db060d7de8dc3b4e4fa4b2fae4fb08ad
              • Instruction ID: f7ce9885dd860389465e630a6e3357a2bd832df4785e34537246c880a89a6405
              • Opcode Fuzzy Hash: a9b79d393323246e5c50619494ce2957db060d7de8dc3b4e4fa4b2fae4fb08ad
              • Instruction Fuzzy Hash: 89518131B043069BDF74AFA6D491AAEB3F5AF46310F20881FE586CB2D2DB7499408705
              Function 0009365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
              • String ID:
              • API String ID: 3877424927-0
              • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
              • Instruction ID: 4374c11f28f4fd1f08cdade78e337524c21c37a1984f2b3c675c8c571be9b884
              • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
              • Instruction Fuzzy Hash: 1151A1B0A04305ABDF389FA9C8856AEB7E1AF40320F24872DF825962D1D7719F50AF40
              Function 000B390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 000B3966
              • SetKeyboardState.USER32(00000080,?,00000001), ref: 000B3982
              • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 000B39EF
              • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 000B3A4D
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: 5b0226a7d08185ec5ff2f36b44a2469ff969901242bb33380a8a84822f05bc26
              • Instruction ID: 639d5b696eccf60a8d1baf81c1faa1ffcf97aef67bc6c6601bc5cf125ac5e77a
              • Opcode Fuzzy Hash: 5b0226a7d08185ec5ff2f36b44a2469ff969901242bb33380a8a84822f05bc26
              • Instruction Fuzzy Hash: 4F413970E44248AEFF709B65C806BFDBBFAAB55310F24015AF4C1A22C1C7B49E85D765
              Function 000BE698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
              Download Yara Rule
              APIs
              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 000BE742
              • GetLastError.KERNEL32(?,00000000), ref: 000BE768
              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 000BE78D
              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 000BE7B9
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CreateHardLink$DeleteErrorFileLast
              • String ID:
              • API String ID: 3321077145-0
              • Opcode ID: d61f723db5919f08afed6cfca53e37abaff276ae4d016a0cc48ccb8ef88e9f51
              • Instruction ID: 9e69ed70efd231e747bb134633c9b0d7e3d425c1e6ef621ed4f9b728f1254e41
              • Opcode Fuzzy Hash: d61f723db5919f08afed6cfca53e37abaff276ae4d016a0cc48ccb8ef88e9f51
              • Instruction Fuzzy Hash: F5413539600610DFCB11EF14C445A9DBBE6FF99710B19C099E94AAB3A2CB38FD01DB95
              Function 000DD7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
              Download Yara Rule
              APIs
              • ClientToScreen.USER32(?,?), ref: 000DD807
              • GetWindowRect.USER32(?,?), ref: 000DD87D
              • PtInRect.USER32(?,?,000DED5A), ref: 000DD88D
              • MessageBeep.USER32(00000000), ref: 000DD8FE
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Rect$BeepClientMessageScreenWindow
              • String ID:
              • API String ID: 1352109105-0
              • Opcode ID: 68c8ea9eaa19754c8c192b2891b8ba9c4821d98f68e06071b4d4a2742b1e198a
              • Instruction ID: fe3d4d62e48e1573420d3f722d69f298bd9c5b14d526b3e60dcc1a675a703630
              • Opcode Fuzzy Hash: 68c8ea9eaa19754c8c192b2891b8ba9c4821d98f68e06071b4d4a2742b1e198a
              • Instruction Fuzzy Hash: 37418EB0A00218EFDB12DF98C885AA9BBF5BF45310F1881A7E4158B355DB30E941EB60
              Function 000B3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 000B3AB8
              • SetKeyboardState.USER32(00000080,?,00008000), ref: 000B3AD4
              • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 000B3B34
              • SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 000B3B92
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: e173210c74487a6131207400fedf7980fab457e7ae068df9d87d6ddbe7d147d7
              • Instruction ID: 082776a1c00b9c9b52d1a518001eda5494a52cb40d1973677855aa0ba97e99de
              • Opcode Fuzzy Hash: e173210c74487a6131207400fedf7980fab457e7ae068df9d87d6ddbe7d147d7
              • Instruction Fuzzy Hash: C7312230A00258AEEF309B648C19FFEBBEA9B55310F24025AE681932D6C7789F45D765
              Function 000A4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000A4038
              • __isleadbyte_l.LIBCMT ref: 000A4066
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 000A4094
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 000A40CA
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
              • String ID:
              • API String ID: 3058430110-0
              • Opcode ID: cb033bfee224d99f7d60b8ed27d237f7922beefce9a8f24218e3c8f298c9871f
              • Instruction ID: 6ed0683115bb22df02ec4c1f03fe9abbe2cc83f0c9a38a5516211759195c95fc
              • Opcode Fuzzy Hash: cb033bfee224d99f7d60b8ed27d237f7922beefce9a8f24218e3c8f298c9871f
              • Instruction Fuzzy Hash: 2331E439600206EFDF219FB4C845FBA7BE5FF82350F158429E6658B091E7B1D890EB90
              Function 000D7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32 ref: 000D7CB9
                • Part of subcall function 000B5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 000B5F6F
                • Part of subcall function 000B5F55: GetCurrentThreadId.KERNEL32 ref: 000B5F76
                • Part of subcall function 000B5F55: AttachThreadInput.USER32(00000000,?,000B781F), ref: 000B5F7D
              • GetCaretPos.USER32(?), ref: 000D7CCA
              • ClientToScreen.USER32(00000000,?), ref: 000D7D03
              • GetForegroundWindow.USER32 ref: 000D7D09
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
              • String ID:
              • API String ID: 2759813231-0
              • Opcode ID: 1b1668638c07900d24f70e2c229984c37dfbd73dee4e20916967b465e343f7a3
              • Instruction ID: cc5cb8e371d6652959a9e6e578bd3c4408227c0e08bb5c6c1f86e2e3e4ee8ca3
              • Opcode Fuzzy Hash: 1b1668638c07900d24f70e2c229984c37dfbd73dee4e20916967b465e343f7a3
              • Instruction Fuzzy Hash: F131ED71900108AFDB10EFA5D8459FFFBF9EF58314B10846AE855E7212EA359E05DBA0
              Function 000DF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008B34E: GetWindowLongW.USER32(?,000000EB), ref: 0008B35F
              • GetCursorPos.USER32(?), ref: 000DF211
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,000EE4C0,?,?,?,?,?), ref: 000DF226
              • GetCursorPos.USER32(?), ref: 000DF270
              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,000EE4C0,?,?,?), ref: 000DF2A6
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Cursor$LongMenuPopupProcTrackWindow
              • String ID:
              • API String ID: 2864067406-0
              • Opcode ID: 7d4edc4c25821c572dcadabe959e214c13c44a763ff38f86c67a7d7e93a59d47
              • Instruction ID: 0852206b62dc3e07665b70616f868df8961c4145f060dd6bc98019b9e35ceeb8
              • Opcode Fuzzy Hash: 7d4edc4c25821c572dcadabe959e214c13c44a763ff38f86c67a7d7e93a59d47
              • Instruction Fuzzy Hash: 54218039500518AFDB259F94C859EFE7BB6FF09710F04806AF906472A1D3749951DB60
              Function 000C431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
              Download Yara Rule
              APIs
              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000C4358
                • Part of subcall function 000C43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000C4401
                • Part of subcall function 000C43E2: InternetCloseHandle.WININET(00000000), ref: 000C449E
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Internet$CloseConnectHandleOpen
              • String ID:
              • API String ID: 1463438336-0
              • Opcode ID: 08011bb982681e421935322909895bb25158ae657f50016b82f5c36e7bf29e71
              • Instruction ID: 87ac3e7156c593c620f8ccff562bfedf36b6f54c0655ca947ccb1df8ee99a340
              • Opcode Fuzzy Hash: 08011bb982681e421935322909895bb25158ae657f50016b82f5c36e7bf29e71
              • Instruction Fuzzy Hash: 4121D135204B01BBEB219F609C10FBFBBEAFF84710F10411EBA1596650EB71D921ABA0
              Function 000D8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
              Download Yara Rule
              APIs
              • GetWindowLongW.USER32(?,000000EC), ref: 000D8AA6
              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 000D8AC0
              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 000D8ACE
              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 000D8ADC
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$Long$AttributesLayered
              • String ID:
              • API String ID: 2169480361-0
              • Opcode ID: 29326a6cefacbcd5f93f38af5f0a34dab160e6c4e66ac7ebbd94a483a34cd664
              • Instruction ID: 57e1c61d0a7cbb593db1c28c36afe1aec9394b3b0a7134d9eaddf8ff885b62ed
              • Opcode Fuzzy Hash: 29326a6cefacbcd5f93f38af5f0a34dab160e6c4e66ac7ebbd94a483a34cd664
              • Instruction Fuzzy Hash: 6C117F31605111AFE715AB18CC05FBA77A9AF85320F14811AF91AC73E2CB74AD01DBA5
              Function 000C8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
              Download Yara Rule
              APIs
              • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 000C8AE0
              • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 000C8AF2
              • accept.WSOCK32(00000000,00000000,00000000), ref: 000C8AFF
              • WSAGetLastError.WSOCK32(00000000), ref: 000C8B16
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ErrorLastacceptselect
              • String ID:
              • API String ID: 385091864-0
              • Opcode ID: 526fd666b379404c3f82267d585592754d718d2013c367944de3dda7f934cd07
              • Instruction ID: 2589846d7a486a9a469b51137e41282c809700b1e23ca54949d29a0f91b6f4f1
              • Opcode Fuzzy Hash: 526fd666b379404c3f82267d585592754d718d2013c367944de3dda7f934cd07
              • Instruction Fuzzy Hash: C2218471A001249FD7119F69C885AEEBBEDEF49310F00816AF849D7251DB749D41CB94
              Function 000B0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000B1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,000B0ABB,?,?,?,000B187A,00000000,000000EF,00000119,?,?), ref: 000B1E77
                • Part of subcall function 000B1E68: lstrcpyW.KERNEL32(00000000,?,?,000B0ABB,?,?,?,000B187A,00000000,000000EF,00000119,?,?,00000000), ref: 000B1E9D
                • Part of subcall function 000B1E68: lstrcmpiW.KERNEL32(00000000,?,000B0ABB,?,?,?,000B187A,00000000,000000EF,00000119,?,?), ref: 000B1ECE
              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,000B187A,00000000,000000EF,00000119,?,?,00000000), ref: 000B0AD4
              • lstrcpyW.KERNEL32(00000000,?,?,000B187A,00000000,000000EF,00000119,?,?,00000000), ref: 000B0AFA
              • lstrcmpiW.KERNEL32(00000002,cdecl,?,000B187A,00000000,000000EF,00000119,?,?,00000000), ref: 000B0B2E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: lstrcmpilstrcpylstrlen
              • String ID: cdecl
              • API String ID: 4031866154-3896280584
              • Opcode ID: fb0637d71b81cf8beb456f33dac82dc3d6447ec9bb326e5d3038b2d75fb34fb3
              • Instruction ID: 3b4943bb9d14a3618dc87e6a3f051391102c62725fdf35535981217ceafebcf7
              • Opcode Fuzzy Hash: fb0637d71b81cf8beb456f33dac82dc3d6447ec9bb326e5d3038b2d75fb34fb3
              • Instruction Fuzzy Hash: 4011DD3A200305AFDB25AF34DC15EBA77A9FF49310B80402AE806CB2A0EB71D950D7A0
              Function 000A2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 000A2FB5
                • Part of subcall function 0009395C: __FF_MSGBANNER.LIBCMT ref: 00093973
                • Part of subcall function 0009395C: __NMSG_WRITE.LIBCMT ref: 0009397A
                • Part of subcall function 0009395C: RtlAllocateHeap.NTDLL(01010000,00000000,00000001,00000001,00000000,?,?,0008F507,?,0000000E), ref: 0009399F
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: AllocateHeap_free
              • String ID:
              • API String ID: 614378929-0
              • Opcode ID: 74e488239344bd0b7804cb2a6b60bcafbc01cec2b5bc28691af419bf53c047b5
              • Instruction ID: f65ecd72f653c1402e97953da493e4b51325002ee4da8164a76cca0c30ad400f
              • Opcode Fuzzy Hash: 74e488239344bd0b7804cb2a6b60bcafbc01cec2b5bc28691af419bf53c047b5
              • Instruction Fuzzy Hash: FA11CA72509216AFDF353BF4AC15BAA3BD4AF06360F204539F95D9A152DB34CD40B790
              Function 0008EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0008EBB2
                • Part of subcall function 000751AF: _memset.LIBCMT ref: 0007522F
                • Part of subcall function 000751AF: _wcscpy.LIBCMT ref: 00075283
                • Part of subcall function 000751AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00075293
              • KillTimer.USER32(?,00000001,?,?), ref: 0008EC07
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0008EC16
              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000E3C88
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
              • String ID:
              • API String ID: 1378193009-0
              • Opcode ID: 47f01e5769dd6412946154ab4fb723b9d7876141ff4c8088813de70861fbcd99
              • Instruction ID: 0a116e074e7ecb6e1cffbbfa6a9f46603dcf1c29702a11a7a25103e6075356fa
              • Opcode Fuzzy Hash: 47f01e5769dd6412946154ab4fb723b9d7876141ff4c8088813de70861fbcd99
              • Instruction Fuzzy Hash: 9021C9709047D4AFE7729B28CC59BEBBFECAB05308F14048EE69E67142C3746A85CB51
              Function 000B058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 000B05AC
              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 000B05C7
              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 000B05DD
              • FreeLibrary.KERNEL32(?), ref: 000B0632
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Type$FileFreeLibraryLoadModuleNameRegister
              • String ID:
              • API String ID: 3137044355-0
              • Opcode ID: 9afee3fb8d063aac530e2a7e82b8315263e63fc3edaf418aad8156d000eb40bb
              • Instruction ID: 818e0bd9a346963def889fdb11e9d98ba835cacacae007e1ed905d8c6e4059f2
              • Opcode Fuzzy Hash: 9afee3fb8d063aac530e2a7e82b8315263e63fc3edaf418aad8156d000eb40bb
              • Instruction Fuzzy Hash: 36215E71900219EFEB209F95DC88AEFBBB8FF40704F0084AAE516D6550D774EA55EF60
              Function 000B6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 000B6733
              • _memset.LIBCMT ref: 000B6754
              • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 000B67A6
              • CloseHandle.KERNEL32(00000000), ref: 000B67AF
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CloseControlCreateDeviceFileHandle_memset
              • String ID:
              • API String ID: 1157408455-0
              • Opcode ID: 41c9c7dea2fd4fa422394fb0edd66e89ea49bf77152ac90304152cd488e57082
              • Instruction ID: 68d7b3b4affa2aa0cba399bb5ca31a8f5415cfd60c2daf99dd4361fcc5f3432d
              • Opcode Fuzzy Hash: 41c9c7dea2fd4fa422394fb0edd66e89ea49bf77152ac90304152cd488e57082
              • Instruction Fuzzy Hash: 7911A3769412287AE7209BA5AC4DFEFBABCEF44764F10419AF504E7190D6784E80CBA4
              Function 000AB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000AAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000AAA79
                • Part of subcall function 000AAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000AAA83
                • Part of subcall function 000AAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000AAA92
                • Part of subcall function 000AAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000AAA99
                • Part of subcall function 000AAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000AAAAF
              • GetLengthSid.ADVAPI32(?,00000000,000AADE4,?,?), ref: 000AB21B
              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 000AB227
              • HeapAlloc.KERNEL32(00000000), ref: 000AB22E
              • CopySid.ADVAPI32(?,00000000,?), ref: 000AB247
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
              • String ID:
              • API String ID: 4217664535-0
              • Opcode ID: a7d3e30ed16e5c170ac2429a0ee36014eeefaaed3ce5f487bf3676d3ea73136e
              • Instruction ID: 379aedb8fcf2eb667d4e18d4bf2f319d2d1fad7ae354921ee1bdfb06736e060c
              • Opcode Fuzzy Hash: a7d3e30ed16e5c170ac2429a0ee36014eeefaaed3ce5f487bf3676d3ea73136e
              • Instruction Fuzzy Hash: 5C114F71A00205BFDB249F98DC85BBEB7E9FF86314B14812EE94297252D739AE44DB10
              Function 000AB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,000000B0,?,?), ref: 000AB498
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 000AB4AA
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 000AB4C0
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 000AB4DB
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: 0c16197aff77eb760013154b7deeeb63f112b9a8d28ffb04af26217abd064304
              • Instruction ID: 511decbe5770b4168eee641042e63f652d835fce00696d278251ea4d65edf1c9
              • Opcode Fuzzy Hash: 0c16197aff77eb760013154b7deeeb63f112b9a8d28ffb04af26217abd064304
              • Instruction Fuzzy Hash: F9112A7A900218FFEB11DFA9C985EDDBBB4FB09710F204091E604B7295D771AE11DB94
              Function 0008B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008B34E: GetWindowLongW.USER32(?,000000EB), ref: 0008B35F
              • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0008B5A5
              • GetClientRect.USER32(?,?), ref: 000EE69A
              • GetCursorPos.USER32(?), ref: 000EE6A4
              • ScreenToClient.USER32(?,?), ref: 000EE6AF
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Client$CursorLongProcRectScreenWindow
              • String ID:
              • API String ID: 4127811313-0
              • Opcode ID: bddaa2aa8d4cbc1e19e8fe91ba6a9a687f5322c31f1fb742e4b1dcc9f0ac106c
              • Instruction ID: 38b2e4b962606f7d51eedca08a92be0125e66611b94ad3ad991634f2276b94bb
              • Opcode Fuzzy Hash: bddaa2aa8d4cbc1e19e8fe91ba6a9a687f5322c31f1fb742e4b1dcc9f0ac106c
              • Instruction Fuzzy Hash: 59113671900429FFDB10EF94D8469FE7BB9FB09304F100452E941E7241D334AA81DBA5
              Function 000B732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 000B7352
              • MessageBoxW.USER32(?,?,?,?), ref: 000B7385
              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 000B739B
              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 000B73A2
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
              • String ID:
              • API String ID: 2880819207-0
              • Opcode ID: 059e3c7e23a164630344c93bc19c92486b93d4ade8a8ba2b4e13297bd5714f3d
              • Instruction ID: 12f2a47151b5c2a7471cdd381af596bb79c9a4d4563da91c30625b64ca09a9c4
              • Opcode Fuzzy Hash: 059e3c7e23a164630344c93bc19c92486b93d4ade8a8ba2b4e13297bd5714f3d
              • Instruction Fuzzy Hash: BA11C872A04204BFD7019B6CDC09EEF7BEE9B85710F144356F925D3251D6748E04A7A5
              Function 000A4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
              • String ID:
              • API String ID: 3016257755-0
              • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
              • Instruction ID: cea88a889ac53529657714970ba03596fbdc05673c5e7dd2766e3c19d7ce54d6
              • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
              • Instruction Fuzzy Hash: 4001783A00014ABBCF629EC4DC018EE3F62BB5A355B488415FA2859031D376CAB2AB81
              Function 00097452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00097A0D: __getptd_noexit.LIBCMT ref: 00097A0E
              • __lock.LIBCMT ref: 0009748F
              • InterlockedDecrement.KERNEL32(?), ref: 000974AC
              • _free.LIBCMT ref: 000974BF
              • InterlockedIncrement.KERNEL32(01022768), ref: 000974D7
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
              • String ID:
              • API String ID: 2704283638-0
              • Opcode ID: 623fe9bb148919a130cc58575f4d07637dd80dda23cb7adbcba31510ca703285
              • Instruction ID: 630e4b620e130aafa99c0ef318ff308a4ae50c11c0dfd5cbc0d2ec43586b8940
              • Opcode Fuzzy Hash: 623fe9bb148919a130cc58575f4d07637dd80dda23cb7adbcba31510ca703285
              • Instruction Fuzzy Hash: 8701C433916622A7DF62AF24A8057DDBBA0BF04710F144005F45C63A82C7345951FFC2
              Function 00097A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __lock.LIBCMT ref: 00097AD8
                • Part of subcall function 00097CF4: __mtinitlocknum.LIBCMT ref: 00097D06
                • Part of subcall function 00097CF4: EnterCriticalSection.KERNEL32(00000000,?,00097ADD,0000000D), ref: 00097D1F
              • InterlockedIncrement.KERNEL32(?), ref: 00097AE5
              • __lock.LIBCMT ref: 00097AF9
              • ___addlocaleref.LIBCMT ref: 00097B17
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
              • String ID:
              • API String ID: 1687444384-0
              • Opcode ID: aafb98fb39425e46466ad5b747d15b10befaa6a966e6c3ef577c05ab7e18c9d8
              • Instruction ID: 26f8acbbc666703bb29a7ca0ef7a0d5137337769164d653296c59983f25b0e78
              • Opcode Fuzzy Hash: aafb98fb39425e46466ad5b747d15b10befaa6a966e6c3ef577c05ab7e18c9d8
              • Instruction Fuzzy Hash: 01018072405B00EFDB20DF75D90578AB7F0EF40321F20890EE49A976A1CB74A680DF01
              Function 000DE32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000DE33D
              • _memset.LIBCMT ref: 000DE34C
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00133D00,00133D44), ref: 000DE37B
              • CloseHandle.KERNEL32 ref: 000DE38D
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: _memset$CloseCreateHandleProcess
              • String ID:
              • API String ID: 3277943733-0
              • Opcode ID: 99b40f98a38e0bef82a47034461c7135c9993348779cb190e83850637adbb5f9
              • Instruction ID: c131c70171f9f58382b43e2602229f51026c75fd32444c918773e73fe483a066
              • Opcode Fuzzy Hash: 99b40f98a38e0bef82a47034461c7135c9993348779cb190e83850637adbb5f9
              • Instruction Fuzzy Hash: A5F05EF1640304BEF6102BA4AC49FBB7E6CDB05754F404421BE18EA5A2D7799E4096AC
              Function 000DEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0008AFE3
                • Part of subcall function 0008AF83: SelectObject.GDI32(?,00000000), ref: 0008AFF2
                • Part of subcall function 0008AF83: BeginPath.GDI32(?), ref: 0008B009
                • Part of subcall function 0008AF83: SelectObject.GDI32(?,00000000), ref: 0008B033
              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 000DEA8E
              • LineTo.GDI32(00000000,?,?), ref: 000DEA9B
              • EndPath.GDI32(00000000), ref: 000DEAAB
              • StrokePath.GDI32(00000000), ref: 000DEAB9
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
              • String ID:
              • API String ID: 1539411459-0
              • Opcode ID: 9c440bdeefebbaf349424ec25ec2b5957b9ada3c0f21d4a898426aa66ea21c6a
              • Instruction ID: 1d0b10f309017476c9182329807fa5773ce4211c62e7518a2140af9d7be75c9c
              • Opcode Fuzzy Hash: 9c440bdeefebbaf349424ec25ec2b5957b9ada3c0f21d4a898426aa66ea21c6a
              • Instruction Fuzzy Hash: 80F0E231001259BBEB12AF94ED0EFDE3F5AAF06310F044103FA01645E18BB85551DBA6
              Function 000AC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
              Download Yara Rule
              APIs
              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 000AC84A
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 000AC85D
              • GetCurrentThreadId.KERNEL32 ref: 000AC864
              • AttachThreadInput.USER32(00000000), ref: 000AC86B
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
              • String ID:
              • API String ID: 2710830443-0
              • Opcode ID: fa00aa707730ea031f44a25a042dbde2be6b52d2bbedf2fd042e547893ec0722
              • Instruction ID: 14537f870d7a05ba25bd72761830be4ca039158255ebded8671063a246956299
              • Opcode Fuzzy Hash: fa00aa707730ea031f44a25a042dbde2be6b52d2bbedf2fd042e547893ec0722
              • Instruction Fuzzy Hash: EEE0307114122876FB205BA19C0DEEB7F5DEF067A1F008012B509C4850CA798580D7E0
              Function 000AB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThread.KERNEL32 ref: 000AB0D6
              • OpenThreadToken.ADVAPI32(00000000,?,?,?,000AAC9D), ref: 000AB0DD
              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,000AAC9D), ref: 000AB0EA
              • OpenProcessToken.ADVAPI32(00000000,?,?,?,000AAC9D), ref: 000AB0F1
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CurrentOpenProcessThreadToken
              • String ID:
              • API String ID: 3974789173-0
              • Opcode ID: 57668266a9b456738186c4ac0c78602fce7b394bf0bd15f5e54cda1393e83d47
              • Instruction ID: cb1415b4096fea077010b25478ec6d77fa1a0b43318ff8a2f5dcc45e2bf3b463
              • Opcode Fuzzy Hash: 57668266a9b456738186c4ac0c78602fce7b394bf0bd15f5e54cda1393e83d47
              • Instruction Fuzzy Hash: 3AE08632601211ABE7605FB15C0CF6B3BE9EF56791F018819F341D6040DB3C8401D760
              Function 0008B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000008), ref: 0008B496
              • SetTextColor.GDI32(?,000000FF), ref: 0008B4A0
              • SetBkMode.GDI32(?,00000001), ref: 0008B4B5
              • GetStockObject.GDI32(00000005), ref: 0008B4BD
              • GetWindowDC.USER32(?,00000000), ref: 000EDE2B
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 000EDE38
              • GetPixel.GDI32(00000000,?,00000000), ref: 000EDE51
              • GetPixel.GDI32(00000000,00000000,?), ref: 000EDE6A
              • GetPixel.GDI32(00000000,?,?), ref: 000EDE8A
              • ReleaseDC.USER32(?,00000000), ref: 000EDE95
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
              • String ID:
              • API String ID: 1946975507-0
              • Opcode ID: ae8f7d2b0d10ebed604a0e71ab175422c106c2fafe858551c5bcac3f3cf0e93a
              • Instruction ID: 9b28940f37a19231b77e81d7ad789ba1956a309ff4f33193135de34ea3c631d1
              • Opcode Fuzzy Hash: ae8f7d2b0d10ebed604a0e71ab175422c106c2fafe858551c5bcac3f3cf0e93a
              • Instruction Fuzzy Hash: E2E0ED31504280BEEB616B65AC0DBE83F52FB52336F14C667FAA9580E1C7758581EB11
              Function 000EB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CapsDesktopDeviceReleaseWindow
              • String ID:
              • API String ID: 2889604237-0
              • Opcode ID: 8a66754e1d19d7968d71a0f0c6f36de32b6054443079eda2cb55d5709c3c448c
              • Instruction ID: 55c48bc43c4fa86de38a3ed581c19d60a112cdae9aa3f73ad82e47e0fc756190
              • Opcode Fuzzy Hash: 8a66754e1d19d7968d71a0f0c6f36de32b6054443079eda2cb55d5709c3c448c
              • Instruction Fuzzy Hash: FAE01AB1100204EFEB005F708848A7E7BA6FF4C351F11880AF99ACB651CB789841EB40
              Function 000AB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
              Download Yara Rule
              APIs
              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 000AB2DF
              • UnloadUserProfile.USERENV(?,?), ref: 000AB2EB
              • CloseHandle.KERNEL32(?), ref: 000AB2F4
              • CloseHandle.KERNEL32(?), ref: 000AB2FC
                • Part of subcall function 000AAB24: GetProcessHeap.KERNEL32(00000000,?,000AA848), ref: 000AAB2B
                • Part of subcall function 000AAB24: HeapFree.KERNEL32(00000000), ref: 000AAB32
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
              • String ID:
              • API String ID: 146765662-0
              • Opcode ID: 4c9f22b5607fe22b5ba6660a7de966919217409bf6cd4e105600806eca30ba68
              • Instruction ID: 3d236cc3116214f8d7dbb42cdb849e7433617ed26a5b2e0e1a9fa4c54fffe6c4
              • Opcode Fuzzy Hash: 4c9f22b5607fe22b5ba6660a7de966919217409bf6cd4e105600806eca30ba68
              • Instruction Fuzzy Hash: 3BE0BF36104005BBDB016B95DC088ADFB67FF993213108222F61581971CB369471FB91
              Function 000EB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CapsDesktopDeviceReleaseWindow
              • String ID:
              • API String ID: 2889604237-0
              • Opcode ID: 2c012192ad493cd6909a29a50b8e689aa6c521b436470ecdc8c10f0e44c02fbe
              • Instruction ID: 23dc8b134460e7282e430dde87a71d87d9ee61535ca9d25a75554b385972c7f4
              • Opcode Fuzzy Hash: 2c012192ad493cd6909a29a50b8e689aa6c521b436470ecdc8c10f0e44c02fbe
              • Instruction Fuzzy Hash: FCE046B1500200EFEB006F70C84CA7D7BAAFB4C351F11880AF99ACB651CF789801EB00
              Function 000ADCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
              Download Yara Rule
              APIs
              • OleSetContainedObject.OLE32(?,00000001), ref: 000ADEAA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ContainedObject
              • String ID: AutoIt3GUI$Container
              • API String ID: 3565006973-3941886329
              • Opcode ID: 73d8b20540c2b433650b94fdbdbcfb0c47024ddd7c31413934c7ec4d9fdfc0b3
              • Instruction ID: 64513fc87d8a135715c1d22e6b8257c08d01f8a715c91204332fbd4abc539e5d
              • Opcode Fuzzy Hash: 73d8b20540c2b433650b94fdbdbcfb0c47024ddd7c31413934c7ec4d9fdfc0b3
              • Instruction Fuzzy Hash: 49912870600601AFDB64DFA4C884B6AB7F5BF4A710F10856EF94ADB691DBB1E841CB60
              Function 0008BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNEL32(00000000), ref: 0008BCDA
              • GlobalMemoryStatusEx.KERNEL32 ref: 0008BCF3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: GlobalMemorySleepStatus
              • String ID: @
              • API String ID: 2783356886-2766056989
              • Opcode ID: a8aea3b21731184f7ee6e021af9917f6959ab9ee49ca0204e245138163754724
              • Instruction ID: c137ace4bb1a7e78757213f397a4d1b861e81cfdeca3f875f9ec575ad85772b7
              • Opcode Fuzzy Hash: a8aea3b21731184f7ee6e021af9917f6959ab9ee49ca0204e245138163754724
              • Instruction Fuzzy Hash: 88512572408744ABE320AF14DC86BAFBBECFF94354F41484EF5C8420A6EB7185A9C756
              Function 000BC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000744ED: __fread_nolock.LIBCMT ref: 0007450B
              • _wcscmp.LIBCMT ref: 000BC65D
              • _wcscmp.LIBCMT ref: 000BC670
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: _wcscmp$__fread_nolock
              • String ID: FILE
              • API String ID: 4029003684-3121273764
              • Opcode ID: b117065718ae7be2337dc41e59a0c938123a0dd0a7014f22886d2b9b99fbccd2
              • Instruction ID: 73c02357d89d210dc698b3f702b2b533b0b6ea8ea2fb1d0e9d7c6fd134473bfd
              • Opcode Fuzzy Hash: b117065718ae7be2337dc41e59a0c938123a0dd0a7014f22886d2b9b99fbccd2
              • Instruction Fuzzy Hash: 2E41D472A0021ABBDF209AA4DC42FEF77B9EF49714F004079F615EB182DB749A04DB65
              Function 000DA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001132,00000000,?), ref: 000DA85A
              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000DA86F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: '
              • API String ID: 3850602802-1997036262
              • Opcode ID: 8852e0e782514d09c3b691f49397880b2cb0281e5a6d16a1c7c7e9844e71cfb8
              • Instruction ID: 94d05458fde2167987375e0f62b725ea0a02429664ecca6833d3f32ab73bf98a
              • Opcode Fuzzy Hash: 8852e0e782514d09c3b691f49397880b2cb0281e5a6d16a1c7c7e9844e71cfb8
              • Instruction Fuzzy Hash: B541E574E01309AFDB54CFA8D881BEA7BB9FB09300F14016AE905EB341D775A942DFA1
              Function 000C5180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000C5190
              • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 000C51C6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: CrackInternet_memset
              • String ID: |
              • API String ID: 1413715105-2343686810
              • Opcode ID: cf075cf1ffabb3ff9f803569a1de563a6419b898a934a3662b4949b88fb8f8c9
              • Instruction ID: 818720900c54a30e1a94ea8b50a90617913cb37b1ff946ea59a95317da3e1d4a
              • Opcode Fuzzy Hash: cf075cf1ffabb3ff9f803569a1de563a6419b898a934a3662b4949b88fb8f8c9
              • Instruction Fuzzy Hash: 70313971C00109ABDF15AFA4CC85EEE7FB9FF19700F004019F809A6166EB35AA46DBA0
              Function 000D975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?,?,?), ref: 000D980E
              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 000D984A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$DestroyMove
              • String ID: static
              • API String ID: 2139405536-2160076837
              • Opcode ID: 14f16b65401a582c4269995938353fc274ff20f50fd84a7071cfc59d2fd7c375
              • Instruction ID: d596cf6c48a83d4ee618d8341a1a6ccd3a4838d12cc9ff00dd4f00c66fbf5674
              • Opcode Fuzzy Hash: 14f16b65401a582c4269995938353fc274ff20f50fd84a7071cfc59d2fd7c375
              • Instruction Fuzzy Hash: 43317C71110704AAEB109F74CC81BFB73A9FF59764F00861AF8A9D7291CB31AC82DB60
              Function 000AC2DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 000AC2F7
              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 000AC331
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: @U=u
              • API String ID: 3850602802-2594219639
              • Opcode ID: d75243cb3560fb577a572342f2f94a55f066dce8f618e67e4608a53f218a76e5
              • Instruction ID: bac8d3d3befcd384037647b8dd0f15d4ce7e6aa2ab0b2ad5a68252e0364badb5
              • Opcode Fuzzy Hash: d75243cb3560fb577a572342f2f94a55f066dce8f618e67e4608a53f218a76e5
              • Instruction Fuzzy Hash: 0121E973D00215ABEF15AF98C881DEEB7B9EF89700B128019F919A7291EB745D42C7A0
              Function 000B5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000B51C6
              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 000B5201
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: 8c42c058d667a7bf093c10331f4948ccf49f0559f0df42a9c1e6284af821bb6f
              • Instruction ID: 3ce03d5a98f498b78027d1e58c9c8ea0b8d4d21689afb0a1a6b61e9e35c2fbd4
              • Opcode Fuzzy Hash: 8c42c058d667a7bf093c10331f4948ccf49f0559f0df42a9c1e6284af821bb6f
              • Instruction Fuzzy Hash: 8A31F631601705AFEB64CF99EC45BEEBBF4FF46351F144099E981A62A0E7709A44CB10
              Function 000C658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: __snwprintf
              • String ID: , $$AUTOITCALLVARIABLE%d
              • API String ID: 2391506597-2584243854
              • Opcode ID: 822f0949ece8a37cd386745d4044fd488781162d805e93f4c87ab07635cf7651
              • Instruction ID: 2dcabdba87e9783cfabf4f3ad7706919adc67c9dda11335a205bb0a3fd91c855
              • Opcode Fuzzy Hash: 822f0949ece8a37cd386745d4044fd488781162d805e93f4c87ab07635cf7651
              • Instruction Fuzzy Hash: 72218C71A00218AFCF20EFA4D882FEE73B4AF49740F404459F409AB182DB75EA55CBA5
              Function 000D955E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000B7DB1: GetLocalTime.KERNEL32 ref: 000B7DBE
                • Part of subcall function 000B7DB1: _wcsncpy.LIBCMT ref: 000B7DF3
                • Part of subcall function 000B7DB1: _wcsncpy.LIBCMT ref: 000B7E25
                • Part of subcall function 000B7DB1: _wcsncpy.LIBCMT ref: 000B7E58
                • Part of subcall function 000B7DB1: _wcsncpy.LIBCMT ref: 000B7E9A
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 000D95F8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: _wcsncpy$LocalMessageSendTime
              • String ID: @U=u$SysDateTimePick32
              • API String ID: 2466184910-2530228043
              • Opcode ID: b3d8022c1ff066c3796d583aede33710d12fe267f6fc5a0430d3c02be67d1b26
              • Instruction ID: 0452e0c60b34907cd39048e3094316db49258a0bbbfb09212e488c439273054a
              • Opcode Fuzzy Hash: b3d8022c1ff066c3796d583aede33710d12fe267f6fc5a0430d3c02be67d1b26
              • Instruction Fuzzy Hash: 3A21B4713403046FEF229E54DC82FEE33AAEB44754F100526F955AB2D5D6B5EC4197B0
              Function 000ABB97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000ABBB0
                • Part of subcall function 000B422F: GetWindowThreadProcessId.USER32(?,?), ref: 000B425A
                • Part of subcall function 000B422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,000ABBCC,00000034,?,?,00001004,00000000,00000000), ref: 000B426A
                • Part of subcall function 000B422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,000ABBCC,00000034,?,?,00001004,00000000,00000000), ref: 000B4280
                • Part of subcall function 000B430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000ABC08,?,?,00000034,00000800,?,00000034), ref: 000B4335
              • SendMessageW.USER32(?,00001073,00000000,?), ref: 000ABC17
                • Part of subcall function 000B42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000ABC37,?,?,00000800,?,00001073,00000000,?,?), ref: 000B4300
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
              • String ID: @U=u
              • API String ID: 1045663743-2594219639
              • Opcode ID: 8a418a57938f4cd94f1c15d5f295abc3867a32496228b78dd237b3f6833550fe
              • Instruction ID: 291059b81b92dc64304b50b43b3d64826d3dc009fdc5f19a174d7e67f6cc3b28
              • Opcode Fuzzy Hash: 8a418a57938f4cd94f1c15d5f295abc3867a32496228b78dd237b3f6833550fe
              • Instruction Fuzzy Hash: 87216031901118ABEF21ABA4DC81FDEBBB5FF05350F1001A5F548E7192EE705B44DBA0
              Function 000D93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 000D945C
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000D9467
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: Combobox
              • API String ID: 3850602802-2096851135
              • Opcode ID: 0b2e76e50fafb52a94889fff17ab7f70b7f23d560512bfbb6dbadf8a88a43f6b
              • Instruction ID: a70b67327d32306be810386486c9d30665433e8854051153907019b6c70bc880
              • Opcode Fuzzy Hash: 0b2e76e50fafb52a94889fff17ab7f70b7f23d560512bfbb6dbadf8a88a43f6b
              • Instruction Fuzzy Hash: 1C1190B13002086FEF219E54DC80EBB37AAEB483A4F104226F919973A1D6719C5287B0
              Function 000DC3DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID:
              • String ID: @U=u
              • API String ID: 0-2594219639
              • Opcode ID: f5ca23867f5623389de450d3105244d49b59d2b694a8058c6fbf29315fb16bbb
              • Instruction ID: 12627822396f0586ef7de981b90d766272fe559f68cb5732de3eab2346c1dfb1
              • Opcode Fuzzy Hash: f5ca23867f5623389de450d3105244d49b59d2b694a8058c6fbf29315fb16bbb
              • Instruction Fuzzy Hash: 66118B7514431ABAFF258FA48C25FBA37A5EB09714F048117FA16EA2D0D6B4DA10EB70
              Function 000AD4F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0007103B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00071052
              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 000AD54E
              • _strlen.LIBCMT ref: 000AD559
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend$Timeout_strlen
              • String ID: @U=u
              • API String ID: 2777139624-2594219639
              • Opcode ID: cc0e7fd0ac502ac23aa492c3a1330f86513c8166bb761eed728cb89b9bec2c22
              • Instruction ID: 7bd31d1f5d7f540141cc6a51ec9b3d4920fea7f44ffc81d499b8e3b8bb106a46
              • Opcode Fuzzy Hash: cc0e7fd0ac502ac23aa492c3a1330f86513c8166bb761eed728cb89b9bec2c22
              • Instruction Fuzzy Hash: 78119431A00105A7DB04BEB8D8929FE7BA8AF56344F00843AF50B97193DE64D946A7A4
              Function 000D98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0008D1BA
                • Part of subcall function 0008D17C: GetStockObject.GDI32(00000011), ref: 0008D1CE
                • Part of subcall function 0008D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0008D1D8
              • GetWindowRect.USER32(00000000,?), ref: 000D9968
              • GetSysColor.USER32(00000012), ref: 000D9982
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Window$ColorCreateMessageObjectRectSendStock
              • String ID: static
              • API String ID: 1983116058-2160076837
              • Opcode ID: 37c021c83718475c590e0047f1590f3e17d4bd280f43eb2bbca6c9ab712f60d7
              • Instruction ID: cceba078354322fdc12ac4779f903d7b0016a7ea41a6e757517e8eaf6209d790
              • Opcode Fuzzy Hash: 37c021c83718475c590e0047f1590f3e17d4bd280f43eb2bbca6c9ab712f60d7
              • Instruction Fuzzy Hash: 45112972510209AFDB04DFB8CC45AFABBA8FF08344F015629F955D2250D734E851DB60
              Function 000B5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000B52D5
              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 000B52F4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: e7ff96c0e8460e9b0706fe8d1a4a56574c192d455484e8486532ca7e4f0de1f6
              • Instruction ID: 58e4e3419efecca0e6b90c65a85d207979ecaa33dcd2ffb43cc9248f5c5cc964
              • Opcode Fuzzy Hash: e7ff96c0e8460e9b0706fe8d1a4a56574c192d455484e8486532ca7e4f0de1f6
              • Instruction Fuzzy Hash: B5110476D02614ABDB60DF98DD04BDD77F8AB06B51F0800A5E901E72D0D3B0EE45C790
              Function 000C4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 000C4DF5
              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 000C4E1E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Internet$OpenOption
              • String ID: <local>
              • API String ID: 942729171-4266983199
              • Opcode ID: 18606022f7fac13496789ef9e70bfa546bf28663c181f05fb5ab91ca100d8fcb
              • Instruction ID: b02ee19e0df30f7c711545834bb7f3f0a542a334d6e90f1bb0f3e994bd1a4939
              • Opcode Fuzzy Hash: 18606022f7fac13496789ef9e70bfa546bf28663c181f05fb5ab91ca100d8fcb
              • Instruction Fuzzy Hash: 5B119E70501221BBDB259F9188A8FFFFAA8FB06755F10822EF51696140E3B06944D6E0
              Function 000DB1DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,?,?,?), ref: 000DB22B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: @U=u
              • API String ID: 3850602802-2594219639
              • Opcode ID: f7b675e266655003a8e1ad73754cd3704d66bdc43cf5c24e2b84e9e64fe4fade
              • Instruction ID: da78967f651a68bed0d8dac97157da28fed114e9419b0a3c5ec774cac1a57894
              • Opcode Fuzzy Hash: f7b675e266655003a8e1ad73754cd3704d66bdc43cf5c24e2b84e9e64fe4fade
              • Instruction Fuzzy Hash: F021C2BAA00209EFCB15DF98C8808EE7BB6FB4D340B014156FD05A3320D731A951EBA0
              Function 000D92B1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000401,?,00000000), ref: 000D9327
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: @U=u$button
              • API String ID: 3850602802-1762282863
              • Opcode ID: fd5b86584539b006975341667f9e055e1d2bca03059b571e88df5c9380b4537f
              • Instruction ID: 1a8b51443989f315ddec1a74242712fd044acac8b05cbf584d793939473754ff
              • Opcode Fuzzy Hash: fd5b86584539b006975341667f9e055e1d2bca03059b571e88df5c9380b4537f
              • Instruction Fuzzy Hash: 91110032150309BBDF118FA0CC01FEA37AAFF08314F050216FA95A72E0C776E861AB60
              Function 000DA587 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000133E,00000000,?), ref: 000DA5D3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: @U=u
              • API String ID: 3850602802-2594219639
              • Opcode ID: 64f7b9237b520cbe28960f84a1b5fecd27c7522447e5ec999b9d4b04794d4c33
              • Instruction ID: f1a330d9ed6ca32207f4ec61f4b68deb5ae29ce7e24b8b9009381caaf7770e78
              • Opcode Fuzzy Hash: 64f7b9237b520cbe28960f84a1b5fecd27c7522447e5ec999b9d4b04794d4c33
              • Instruction Fuzzy Hash: 4511B171600744EFDB20CF34C891AE7BBE5BF06314F14450EE9AA97381D771A941DB61
              Function 000CA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
              Download Yara Rule
              APIs
              • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 000CA84E
              • htons.WSOCK32(00000000,?,00000000), ref: 000CA88B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: htonsinet_addr
              • String ID: 255.255.255.255
              • API String ID: 3832099526-2422070025
              • Opcode ID: 2eee7f4c05155cb27ad71a9594695e22b91cf52b3f23d7b0f90f14bc377f4d4f
              • Instruction ID: a082dccf3414d1350b01c3e441917b09765b3fd7adbee638975d42fe7ebc9591
              • Opcode Fuzzy Hash: 2eee7f4c05155cb27ad71a9594695e22b91cf52b3f23d7b0f90f14bc377f4d4f
              • Instruction Fuzzy Hash: 18012635300308ABDB20AFA4C846FEEB365EF06714F10846AF5159B2D2DB35E805C752
              Function 000DF2D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0008B34E: GetWindowLongW.USER32(?,000000EB), ref: 0008B35F
              • DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,000EE44F,?,?,?), ref: 000DF344
                • Part of subcall function 0008B526: GetWindowLongW.USER32(?,000000EB), ref: 0008B537
              • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 000DF32A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: LongWindow$MessageProcSend
              • String ID: @U=u
              • API String ID: 982171247-2594219639
              • Opcode ID: 0bcdeefd2de2f77f32870c96b2cc3ab56a0c1a762804fa42bb3a542b6d0b5cb6
              • Instruction ID: 3bcb8d7beffd6f90859edb3bac53028aaac9defa1d171a1fe17526fcf3b5738d
              • Opcode Fuzzy Hash: 0bcdeefd2de2f77f32870c96b2cc3ab56a0c1a762804fa42bb3a542b6d0b5cb6
              • Instruction Fuzzy Hash: 2A01B171200304ABDB219F14DC45FBA7BA6FB85324F188526F8461B2E1C771A942EB60
              Function 000AC65B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000AC66D
              • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 000AC69D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: @U=u
              • API String ID: 3850602802-2594219639
              • Opcode ID: 870251b521083efeaab62f16dc7ae43e4c61a5310f827f30d34a859770aa8ecb
              • Instruction ID: 1a9afebb3ce5cd7417fab4ba2fd0c3dd47661cf6e0c921fe0d55bf3ccfb7e287
              • Opcode Fuzzy Hash: 870251b521083efeaab62f16dc7ae43e4c61a5310f827f30d34a859770aa8ecb
              • Instruction Fuzzy Hash: 27F0A071640308BBFB116ED0EC86FFA7B69EB09795F104015F7459A0D1CAE25C10A764
              Function 000AC7D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000AC2DE: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 000AC2F7
                • Part of subcall function 000AC2DE: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 000AC331
              • SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 000AC7FC
              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 000AC80C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: @U=u
              • API String ID: 3850602802-2594219639
              • Opcode ID: f8ec3a9d4adf894d9c9d63b42434aa20b0c4c67b93e8a2bca3122b2326694411
              • Instruction ID: 062c739c80179495386925d84abe1d34f4ec0be1ed66a9684ff5cf52a5d9575c
              • Opcode Fuzzy Hash: f8ec3a9d4adf894d9c9d63b42434aa20b0c4c67b93e8a2bca3122b2326694411
              • Instruction Fuzzy Hash: 89E0D8752443097FF7221AA19C4AEB73B6DEB49755F114039B70095091EEA78C11B520
              Function 000B7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: ClassName_wcscmp
              • String ID: #32770
              • API String ID: 2292705959-463685578
              • Opcode ID: 670d9912251f64815efc4ac1489601919fcc5d5a56fb3d34d10b60d67a89b15c
              • Instruction ID: 1148ce1093c26db3db64c689c664881cfda7ff23df3b5dd41d54ac7ec464f009
              • Opcode Fuzzy Hash: 670d9912251f64815efc4ac1489601919fcc5d5a56fb3d34d10b60d67a89b15c
              • Instruction Fuzzy Hash: B3E0927760422567DB10AAA5AC09ED7FBACAB91760F010016B915D3041D664E74587D4
              Function 000AA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
              Download Yara Rule
              APIs
              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 000AA63F
                • Part of subcall function 000913F1: _doexit.LIBCMT ref: 000913FB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: Message_doexit
              • String ID: AutoIt$Error allocating memory.
              • API String ID: 1993061046-4017498283
              • Opcode ID: aa311e28b2b9dc67bd2f9705a927f6b43ff850ad76b6e719b76318a9dc93dd05
              • Instruction ID: ce7c42d6bea22f9de033685384854ccc34208821f984135e1d6004203c46be40
              • Opcode Fuzzy Hash: aa311e28b2b9dc67bd2f9705a927f6b43ff850ad76b6e719b76318a9dc93dd05
              • Instruction Fuzzy Hash: 9AD05B317C472833D21437E87C17FD976489B16B55F044016FB4C955D34AE7979052DD
              Function 000EAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
              Download Yara Rule
              APIs
              • GetSystemDirectoryW.KERNEL32(?), ref: 000EACC0
              • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 000EAEBD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: DirectoryFreeLibrarySystem
              • String ID: WIN_XPe
              • API String ID: 510247158-3257408948
              • Opcode ID: 418c61578f9d90533fd2c7fbdaa79286dd61cb9dd2ceb6a16f7c7ffbaf4c2d69
              • Instruction ID: 3ca47c93e1a157e3fc0f97625eedf467a4e75213827fc264a0f00233acba06e5
              • Opcode Fuzzy Hash: 418c61578f9d90533fd2c7fbdaa79286dd61cb9dd2ceb6a16f7c7ffbaf4c2d69
              • Instruction Fuzzy Hash: A8E06D70D00189EFDB61DBA6D944AECF7B8AB4D300F208086E046B2560CB706A84EF22
              Function 000D8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
              Download Yara Rule
              APIs
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000D86A2
              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 000D86B5
                • Part of subcall function 000B7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000B7AD0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: FindMessagePostSleepWindow
              • String ID: Shell_TrayWnd
              • API String ID: 529655941-2988720461
              • Opcode ID: 9612aa2e6c87059801fbc040dfd3eda5060e6d0680d4a2ea8630d842346abe6b
              • Instruction ID: 0d2c797afd418cfa022874cd11931dae7a30106115f749087b26ed73142b2a18
              • Opcode Fuzzy Hash: 9612aa2e6c87059801fbc040dfd3eda5060e6d0680d4a2ea8630d842346abe6b
              • Instruction Fuzzy Hash: 93D01231394324B7F3646770AC0BFD67E199B54B11F100816B74DEA1D1C9F8E950C764
              Function 000D86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
              Download Yara Rule
              APIs
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000D86E2
              • PostMessageW.USER32(00000000), ref: 000D86E9
                • Part of subcall function 000B7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000B7AD0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1369628761.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true
              • Associated: 00000000.00000002.1369559182.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.00000000000FD000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369711528.000000000011E000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369766559.000000000012A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1369803536.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_70000_FEdTp2g4xD.jbxd
              Similarity
              • API ID: FindMessagePostSleepWindow
              • String ID: Shell_TrayWnd
              • API String ID: 529655941-2988720461
              • Opcode ID: 0ff22441bc6c30df73ae51e4da3af9334ee50bb4feb0c50a6e031f7e28ba5412
              • Instruction ID: 3b5520a2c6e5e1c8f17dbb2fbc44643fbf7486e3fa7c5f53b3d7a98243590700
              • Opcode Fuzzy Hash: 0ff22441bc6c30df73ae51e4da3af9334ee50bb4feb0c50a6e031f7e28ba5412
              • Instruction Fuzzy Hash: C6D012313853247BF3656770AC0BFD67A199B54B11F100816B749EA1D1C9F8E950C765